ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spotify Ads CLI

v1.0.0

Spotify Ads data analysis and reporting via spotify-ads-cli. Use when the user wants to check Spotify ad performance, pull aggregate or insight reports, expl...

0· 48·0 current·0 all-time
by@bin-huang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a Spotify Ads CLI and the requested capability (reading ad accounts, reports, etc.) matches that purpose. Requesting an OAuth access token for the Spotify Ads API is appropriate for the described functionality.
Instruction Scope
Instructions are limited to using the spotify-ads-cli CLI, installing it via npm if missing, and authenticating via an access token or a credentials file in ~/.config/spotify-ads-cli/credentials.json. The steps do not ask the agent to read unrelated system files or exfiltrate data to other endpoints.
Install Mechanism
There is no install spec in the registry (skill is instruction-only). SKILL.md suggests installing 'npm install -g spotify-ads-cli' — a standard mechanism but it installs a global npm package from the public registry; without a declared source/homepage the origin and trustworthiness of that package are unclear.
!
Credentials
SKILL.md clearly requires a Spotify OAuth access token (and a credentials file path) but the skill metadata lists no required environment variables or primary credential. That metadata omission is an incoherence — the runtime needs a secret (SPOTIFY_ADS_ACCESS_TOKEN or credentials file) which the registry does not declare.
Persistence & Privilege
The skill is not always:true, does not request persistent system-wide changes in its metadata, and is instruction-only. Nothing indicates it will modify other skills or system settings.
What to consider before installing
Before installing or using this skill: 1) Verify the spotify-ads-cli package's origin (check the npm package page, author, and repository) — the skill metadata provides no homepage/source. 2) Do not install global npm packages from unknown publishers without reviewing their code. 3) If you must use it, create a Spotify Developer App limited to the Ads API and use a token with the minimal scope necessary; consider using a short-lived token and storing it in a dedicated credentials file. 4) Be cautious about granting or placing long-lived tokens on your machine (~/.config/spotify-ads-cli/credentials.json). 5) Ask the publisher for a homepage/repository and a signed or verifiable release; absence of provenance is the main reason this skill is flagged as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kwcmtmyaw9t96j9swkgdyx84ccps

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments