ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Music Discovery

v1.0.0

Recommend music tracks and playlists tailored to mood, activity, BPM, energy, or genre using Spotify and Last.fm data.

0· 48·0 current·0 all-time
by@codenova58
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise Spotify/Last.fm-style discovery, but the included Python tool does not call any external APIs, does not import requests or spotipy, and only records local usage to a data file. Declared capabilities (data-backed discovery using Spotify/Last.fm) are not implemented in the code bundle.
!
Instruction Scope
SKILL.md instructs installing requests and spotipy and refers to OAuth/rate-limits, but gives no instructions to supply credentials or environment variables. Usage examples point to a non-existent path (docs show scripts/skills/music-discovery/scripts/... while the repo has scripts/music_discovery_tool.py), so following the docs will fail. The instructions are incomplete and inconsistent with the packaged code.
Install Mechanism
There is no install spec (instruction-only skill), which is low-risk from an installer standpoint. The only effect of running the tool is local file writes under the repo's data/ directory; no external downloads or archive extraction are present.
Credentials
The skill declares no required environment variables or primary credential, but the README explicitly references OAuth for Spotify and suggests using real API data. The absence of declared env vars is an inconsistency: if real Spotify integration is intended, credentials would be required but are not specified in the metadata.
Persistence & Privilege
always is false and the skill does not request persistent or elevated privileges. It only writes to a repository-local data file and does not modify system-wide configuration or other skills.
What to consider before installing
This package looks like a placeholder/CLI stub rather than a working Spotify/Last.fm integrator. Before installing or running it: (1) don't provide your Spotify credentials to it until the author documents how they are used and where secrets are stored; (2) verify the code path and usage examples (SKILL.md points to a path that doesn't exist); (3) inspect the Python file locally — it currently only writes a local data file and does not call external APIs; (4) if you expect real API-backed recommendations, request the author to (a) implement/declare API calls, (b) list required env vars (client ID/secret or tokens) in metadata, and (c) fix usage paths; (5) run in a sandbox or limited environment if you want to test. These inconsistencies could be harmless (incomplete skill) but warrant caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bawm029sytkknfmatnmwdzh83ks9x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments