Spotify History
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: spotify-history Version: 1.1.0 The OpenClaw AgentSkills skill bundle for Spotify History is benign. It transparently implements a Spotify API integration, requiring the user to set up a Spotify Developer App and authenticate via OAuth 2.0. Credentials and tokens are handled securely, stored locally with appropriate permissions, and all network requests are directed solely to Spotify's official API endpoints. The `SKILL.md` and `README.md` provide clear instructions for both human users and the AI agent, with no evidence of prompt injection attempts or instructions for unauthorized actions. The `spotify-api.py` script's ability to make raw API calls is within the stated purpose of a Spotify API wrapper for advanced usage.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read your Spotify listening history, top artists/tracks, and current playback state until the token is deleted or the Spotify app authorization is revoked.
The skill uses persistent delegated Spotify access to read listening and playback information. This is expected for the purpose, but users should notice the ongoing OAuth authority.
Tokens are saved to `~/.config/spotify-clawd/token.json` and auto-refresh when expired. ... Required Scopes ... `user-read-recently-played` ... `user-top-read` ... `user-read-playback-state` ... `user-read-currently-playing`
Authorize only a Spotify app you control, keep the token file private, delete the token or revoke the app when no longer needed, and consider reducing playback scopes if you only need history and top-list data.
If used carelessly, the agent may retrieve more Spotify account data than the user intended, within the OAuth scopes granted.
The raw JSON mode lets a user or agent choose a Spotify API endpoint, which is broader than the named history/top/recommendation commands. It is limited to Spotify GET requests and the granted scopes.
elif cmd == "json":
endpoint = sys.argv[2] if len(sys.argv) > 2 else "/me"
data = api_request(endpoint, token_data)Prefer the named commands for normal use and ask for confirmation before using the raw `json` endpoint for broader Spotify API reads.
Setup may fail or could run a different workspace-level script if one exists at that relative path.
The setup script changes to the workspace directory and then invokes a relative helper path, rather than directly invoking the reviewed helper under the skill's own script directory. This appears to be a path-coherence issue, not hidden behavior.
cd "$WORKSPACE_DIR" python3 scripts/spotify-auth.py
Before running setup, review the script and prefer invoking the intended helper by its explicit skill path, such as `skills/spotify-history/scripts/spotify-auth.py`, or update the setup script to use its own script directory.