ClawHub

Spotify Controller

v1.0.1

Control Spotify playback and devices from an AI agent using spotify.py and the official Spotify Web API. Use when users ask to check current track, play/paus...

0· 398·3 current·3 all-time
byEgemen Yerdelen@egemenyerdelen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (control Spotify playback) align with required env vars (client id/secret/refresh token), the python script, and the documented Spotify Web API calls. Requested binaries and packages (python3, requests) are appropriate.
Instruction Scope
SKILL.md instructs how to obtain and provide Spotify credentials and how to run the included spotify.py. Instructions do not ask the agent to read unrelated files or send data to unexpected endpoints; the script only talks to accounts.spotify.com and api.spotify.com.
Install Mechanism
No install spec (instruction-only) and the script is included directly. SKILL.md asks to install the Python 'requests' package which is proportional. Small oddity: SKILL.md uses the prefix 'uv pip install ... --system' in multiple places (likely a typo or platform-specific helper); verify that your runtime supports that command or use plain 'pip install requests' before relying on it.
Credentials
Three environment variables (SPOTIFY_CLIENT_ID, SPOTIFY_CLIENT_SECRET, SPOTIFY_REFRESH_TOKEN) are expected and necessary for refreshing an access token and calling Spotify endpoints. No unrelated secrets or superfluous environment requirements are requested.
Persistence & Privilege
Skill is not always-enabled and is user-invocable. It does not request system-wide changes or modify other skills. SKILL.md suggests chown/chmod on the workspace file as operational guidance, which is normal but requires appropriate permissions.
Assessment
This skill appears coherent and implements only Spotify API calls. Before installing: (1) verify the skill source you obtained it from and inspect scripts/spotify.py yourself (it is included and readable), (2) do not commit SPOTIFY_* values into version control — store them in a secure secrets store or .env excluded from git, (3) generate the refresh token locally and only supply the long-lived refresh token to the runtime you trust, (4) limit the Spotify app scopes to the least privileges needed (playback control and read state), and (5) confirm the 'uv pip install' lines are applicable to your environment (use plain 'pip install requests' if unsure). If you do not want the agent to control playback autonomously, avoid enabling autonomous invocation or restrict when the skill can be called.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ev0scsvz8pm4vzyjwc9jrds81z2rq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
Binspython3
EnvSPOTIFY_CLIENT_ID, SPOTIFY_CLIENT_SECRET, SPOTIFY_REFRESH_TOKEN
Primary envSPOTIFY_CLIENT_ID

Comments