Last.fm (OpenClaw)
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent Last.fm integration, with the main thing to watch being optional credentials that let it change loved tracks.
For read-only Last.fm profile and listening-history queries, the requested API key and username are proportionate. Add LASTFM_SESSION_KEY and LASTFM_API_SECRET only if you want the agent to love or unlove tracks, and protect those credentials carefully.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If write credentials are added, the agent can mark or unmark specific tracks as loved on the user's Last.fm account.
The skill includes write commands that can modify the user's Last.fm loved-track state when authentication is configured.
`love <artist> <track>` | Love a track ... `unlove <artist> <track>` | Unlove a track
Only configure write credentials if you want this feature, and ask the agent to confirm before running love/unlove commands if that matters to you.
Anyone or anything with access to those configured secrets could perform Last.fm write actions allowed by the session.
Optional write operations rely on a long-lived session key and API secret stored in configuration.
`LASTFM_API_SECRET`: "your_secret" ... `LASTFM_SESSION_KEY`: "your_session_key" ... Session keys do not expire unless the user revokes access.
Keep these secrets out of repositories and shared logs, configure them only when needed, and revoke the Last.fm application session if you no longer use it.
It may be harder to independently verify the publisher, source history, or future updates.
The package does not declare an upstream source or homepage, which limits provenance verification even though the provided artifacts are readable.
Source: unknown; Homepage: none
Install only from a trusted registry/source and review the included files before adding Last.fm credentials.