ClawSpotify
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to control Spotify as advertised, but it requires browser session cookies and an unpinned custom dependency, so it should be reviewed carefully before use.
Install only if you are comfortable giving the skill reusable Spotify browser session cookies. Review or pin the SpotAPI dependency first, use a non-critical Spotify account if possible, keep `~/.config/spotapi/session.json` protected, and remove the saved session if you stop using the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can access the saved session may be able to act through the Spotify account, and pasting cookies on the command line can expose them through shell history or local process inspection.
The skill uses browser session cookies rather than a scoped OAuth-style flow and persists them for reuse, giving the tool ongoing delegated Spotify account access.
`clawspotify` authenticates using two session cookies from your browser (`sp_dc` and `sp_key`). ... Session is saved to `~/.config/spotapi/session.json` and reused automatically.
Treat `sp_dc` and `sp_key` like passwords, avoid using this on shared machines, protect or delete the saved session file when not needed, and prefer a safer scoped authentication flow if available.
The unreviewed dependency could change over time or handle Spotify session cookies in ways not visible in this skill’s artifacts.
The skill depends on a custom, unpinned external library that is not part of the reviewed artifacts and is specifically described as handling session support.
Install SpotAPI (modified version with session support) `git clone https://github.com/ejatapibeda/SpotAPI.git ... pip install -e ~/.openclaw/workspace/skills/SpotAPI`
Pin the SpotAPI dependency to a reviewed commit or release, include provenance in the install spec, and review the dependency before providing Spotify session cookies.
If invoked incorrectly, the agent could play the wrong content, change volume, skip tracks, or alter the queue on the active Spotify device.
The skill exposes user-directed commands that mutate playback state, queue, and volume; this matches the stated purpose but is still account/device control.
The agent will automatically call the right command based on user intent. ... `clawspotify volume 30` ... `clawspotify play "Radiohead"`
Use clear prompts for playback-changing actions and confirm account/device selection when using multiple Spotify accounts or shared devices.