Back to skill
Skillv1.0.1
ClawScan security
Spotify Controller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 1:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variables are consistent with a Spotify playback controller and request only the credentials needed to call the Spotify Web API.
- Guidance
- This skill appears coherent and implements only Spotify API calls. Before installing: (1) verify the skill source you obtained it from and inspect scripts/spotify.py yourself (it is included and readable), (2) do not commit SPOTIFY_* values into version control — store them in a secure secrets store or .env excluded from git, (3) generate the refresh token locally and only supply the long-lived refresh token to the runtime you trust, (4) limit the Spotify app scopes to the least privileges needed (playback control and read state), and (5) confirm the 'uv pip install' lines are applicable to your environment (use plain 'pip install requests' if unsure). If you do not want the agent to control playback autonomously, avoid enabling autonomous invocation or restrict when the skill can be called.
Review Dimensions
- Purpose & Capability
- okName/description (control Spotify playback) align with required env vars (client id/secret/refresh token), the python script, and the documented Spotify Web API calls. Requested binaries and packages (python3, requests) are appropriate.
- Instruction Scope
- okSKILL.md instructs how to obtain and provide Spotify credentials and how to run the included spotify.py. Instructions do not ask the agent to read unrelated files or send data to unexpected endpoints; the script only talks to accounts.spotify.com and api.spotify.com.
- Install Mechanism
- noteNo install spec (instruction-only) and the script is included directly. SKILL.md asks to install the Python 'requests' package which is proportional. Small oddity: SKILL.md uses the prefix 'uv pip install ... --system' in multiple places (likely a typo or platform-specific helper); verify that your runtime supports that command or use plain 'pip install requests' before relying on it.
- Credentials
- okThree environment variables (SPOTIFY_CLIENT_ID, SPOTIFY_CLIENT_SECRET, SPOTIFY_REFRESH_TOKEN) are expected and necessary for refreshing an access token and calling Spotify endpoints. No unrelated secrets or superfluous environment requirements are requested.
- Persistence & Privilege
- okSkill is not always-enabled and is user-invocable. It does not request system-wide changes or modify other skills. SKILL.md suggests chown/chmod on the workspace file as operational guidance, which is normal but requires appropriate permissions.