ClawHub

desktop-music-launcher

ReviewAudited by ClawScan on May 1, 2026.

Overview

This appears to be a disclosed local music launcher/controller, but users should notice the macOS automation permissions and optional Spotify token use.

Install only if you are comfortable with a skill that can launch and control local music apps. On macOS, enable Accessibility/Automation permissions only when you need direct playback control. If using Spotify precision playback, treat the access token as sensitive and prefer an environment variable over a command-line argument.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI02: Tool Misuse and Exploitation
What this means

If enabled, the skill can launch music apps and control playback, and the host app may need broad macOS automation permissions.

Why it was flagged

The skill discloses that macOS control mode depends on AppleScript plus Accessibility and Automation permissions to control Spotify or Music. This is purpose-aligned for playback control, but those permissions are significant desktop-control capabilities.

Skill content
macOS 控制版依赖:

- `osascript`
- 运行该 Skill 的宿主应用已获 **辅助功能**
- 运行该 Skill 的宿主应用已获 **自动化**,允许控制 Spotify / Music
Recommendation

Grant macOS Accessibility/Automation permissions only if you want hands-free playback control, and use the returned JSON results to verify what action was actually performed.

Low
#ASI03: Identity and Privilege Abuse
What this means

A Spotify token could authorize API calls associated with the token, and passing it on the command line may expose it through shell history or process listings.

Why it was flagged

The skill supports an optional Spotify access token for more precise search/playback. This is disclosed and purpose-aligned, but it is still credential-like authority and is not listed as a required credential in the registry metadata.

Skill content
若提供 `SPOTIFY_ACCESS_TOKEN` 或 `--spotify-token`,脚本会调用 Spotify Search API 找到第一首匹配 track,并用 track URI 直接交给 Spotify 播放。
Recommendation

Prefer a short-lived, least-privilege Spotify token via the environment variable, avoid putting tokens directly in command history, and revoke the token if it may have been exposed.