Back to skill
Skillv1.0.0
ClawScan security
Playlistable · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 7:43 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required secrets are coherent with a Playlistable MCP Spotify playlist client — nothing requests unrelated credentials or installs arbitrary code, though it does store an API key on-disk and delegates Spotify OAuth to an external service.
- Guidance
- This skill appears to do what it claims: it uses Node scripts to perform OAuth with the Playlistable MCP server and call MCP tools to create and manage Spotify playlists. Before installing, consider: (1) you will either provide PLAYLISTABLE_API_KEY or run the included auth flow which opens your browser and saves an API key to config/auth.json in the skill directory — treat that file like a secret. (2) The OAuth flow delegates Spotify sign-in and client registration to the external domain https://mcp.playlistable.io — only proceed if you trust that third party to handle your Spotify authorization and data. (3) The scripts start a temporary localhost HTTP server and open your browser during auth (expected for PKCE OAuth). If any of these behaviors are unexpected or you don’t trust the MCP host, do not install or run the auth script. Otherwise the skill is internally consistent and proportional to its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: both scripts implement an MCP client that talks to https://mcp.playlistable.io to generate and manage Spotify playlists. Required binary (node) and required env var (PLAYLISTABLE_API_KEY) are appropriate for this purpose.
- Instruction Scope
- okRuntime instructions and scripts stay within the stated scope: they perform OAuth via the MCP server, open a local browser, start a localhost callback server, save an API key to config/auth.json, and call MCP JSON-RPC endpoints. The scripts only read the declared env var and config path; they do not access unrelated system paths or other credentials.
- Install Mechanism
- okNo install spec — instruction-only with included Node scripts. Nothing is downloaded or installed by the skill itself, which minimizes install-time risk.
- Credentials
- noteOnly PLAYLISTABLE_API_KEY is required (or the saved config/auth.json). This is proportionate. Note: the auth flow will create and store a long-lived API key in config/auth.json on disk; users should be aware of local storage of that secret.
- Persistence & Privilege
- okalways:false and no modifications to other skills or system-wide settings. The skill writes its own config/auth.json and runs a temporary localhost server during OAuth — this is normal for an OAuth flow and scoped to the skill.