Spotify History
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward Spotify OAuth helper that reads Spotify activity data; it stores local tokens and has a broad raw-read option, but the provided code shows no hidden exfiltration or destructive behavior.
Install only if you are comfortable granting read access to your Spotify listening and playback data. Use a Spotify developer app you control, protect or delete the local token when done, prefer the curated commands over raw API calls, and review the setup script path before running it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read your Spotify listening history, top artists/tracks, and current playback state until the token is deleted or the Spotify app authorization is revoked.
The skill uses persistent delegated Spotify access to read listening and playback information. This is expected for the purpose, but users should notice the ongoing OAuth authority.
Tokens are saved to `~/.config/spotify-clawd/token.json` and auto-refresh when expired. ... Required Scopes ... `user-read-recently-played` ... `user-top-read` ... `user-read-playback-state` ... `user-read-currently-playing`
Authorize only a Spotify app you control, keep the token file private, delete the token or revoke the app when no longer needed, and consider reducing playback scopes if you only need history and top-list data.
If used carelessly, the agent may retrieve more Spotify account data than the user intended, within the OAuth scopes granted.
The raw JSON mode lets a user or agent choose a Spotify API endpoint, which is broader than the named history/top/recommendation commands. It is limited to Spotify GET requests and the granted scopes.
elif cmd == "json":
endpoint = sys.argv[2] if len(sys.argv) > 2 else "/me"
data = api_request(endpoint, token_data)Prefer the named commands for normal use and ask for confirmation before using the raw `json` endpoint for broader Spotify API reads.
Setup may fail or could run a different workspace-level script if one exists at that relative path.
The setup script changes to the workspace directory and then invokes a relative helper path, rather than directly invoking the reviewed helper under the skill's own script directory. This appears to be a path-coherence issue, not hidden behavior.
cd "$WORKSPACE_DIR" python3 scripts/spotify-auth.py
Before running setup, review the script and prefer invoking the intended helper by its explicit skill path, such as `skills/spotify-history/scripts/spotify-auth.py`, or update the setup script to use its own script directory.