Playlistable
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for Spotify playlist creation and management, but it requires OAuth/API-key access and can create public playlists or edit/delete Spotify playlists.
Install only if you trust Playlistable with Spotify playlist access. Treat generated playlists as public unless you change their visibility, and require explicit confirmation before editing or deleting playlists.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, the service can act on Spotify playlist data according to its granted permissions.
The skill needs delegated Playlistable/Spotify access and an API key, which is expected for the service but gives the integration account-level playlist authority.
Requires OAuth authentication via https://mcp.playlistable.io/authorize. Supports PLAYLISTABLE_API_KEY env var or config/auth.json.
Only authenticate if you trust Playlistable, review any Spotify consent screen carefully, and revoke or rotate the API key if you stop using the skill.
An accidental or misunderstood request could create a public playlist or remove a Spotify playlist.
The exposed tools can publish playlist content and delete playlist data. This is disclosed and aligned with playlist management, but mistaken use could affect the user's account.
Playlists are created as public on Spotify ... Delete a playlist by ID. Removes it from both Playlistable and Spotify.
Ask for explicit confirmation before creating public playlists or running edit/delete operations, and verify playlist IDs before deletion.
Running the auth script will launch the system browser to begin Spotify authorization.
The auth script uses shell execution to open the browser. The URL is constructed for the documented OAuth flow and is not evidence of hidden execution.
exec(`${openCmd} "${authUrl.toString()}"`);Run the auth script intentionally, check that the opened URL is for mcp.playlistable.io/Spotify authorization, and avoid modifying the script with untrusted input.
Playlist prompts, search queries, playlist IDs, and returned playlist data may be processed by the Playlistable service.
Tool calls, parameters, and the bearer API key are sent to the remote Playlistable MCP service, which is expected for this integration but is a data boundary users should understand.
const MCP_URL = "https://mcp.playlistable.io"; ... Authorization: `Bearer ${apiKey}` ... body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params })Avoid sending sensitive personal prompts or data through the skill unless you are comfortable with the Playlistable service handling them.