ClawHub

Spotify Playlist Builder

v1.0.0

Build and manage Spotify playlists from natural language requests. Search tracks/artists/albums, create playlists, manage tracks, view listening history. Use...

0· 368·0 current·0 all-time
by@codeaholicman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and included scripts all focus on Spotify Web API operations (search, create playlists, view listening history). The requested OAuth client ID/secret, local redirect, and scopes match the stated functionality and Feb 2026 API notes.
Instruction Scope
Runtime instructions are limited to the OAuth flow, running the provided Python scripts, and using Spotify endpoints. The workflow explicitly uses listening-history endpoints for personalization, which matches the described feature set; no unrelated files, endpoints, or broad data-collection steps are requested.
Install Mechanism
No install spec is present (instruction-only), and included code is plain Python without downloads from external/unknown hosts. This minimizes install-time risk.
Credentials
The skill does not require environment variables, but it requires the user to provide a Spotify client ID and client secret during auth. The scripts persist the client_id, client_secret, access_token, and refresh_token to ~/.openclaw/workspace/config/.spotify-tokens.json (file permissions set to 0600). Storing the client_secret and tokens locally is functionally necessary but sensitive; also the refresh command prints the access_token to stdout (not a security boundary, but something to be aware of).
Persistence & Privilege
always:false (good). The skill can be invoked autonomously by the agent (disable-model-invocation:false), which is the platform default — combine this with awareness that the skill has access to your Spotify tokens once you run auth. The skill does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: it uses OAuth to access your Spotify account and stores the app credentials and tokens at ~/.openclaw/workspace/config/.spotify-tokens.json (file permission 600). Before installing or running: 1) only provide a client_id/client_secret from an app you created and trust; 2) be aware the secret and refresh/access tokens are stored locally (you can remove the file or revoke the app in your Spotify dashboard to cut access later); 3) the refresh flow prints tokens to stdout during refresh, so avoid running it in places where stdout is logged/shared; 4) if you don't want the agent to call this skill autonomously, disable skill invocation in your agent settings. If you want more assurance, inspect the files yourself or run the scripts in an isolated environment before granting real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97erm6f725a7469jn83s864zd8258z9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments