Back to skill
Skillv1.0.3
VirusTotal security
ClawSpotify · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- 92a7a468b0c57f0d5c397267ea70cc8d36a9bb1066c0fe6808ee815bfb2d701d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawspotify Version: 1.0.3 The skill is suspicious due to its explicit reliance on an external, custom GitHub repository (`https://github.com/ejatapibeda/SpotAPI.git`) for core functionality, including session management. The `SKILL.md` and `scripts/spotify.py` files instruct users to `git clone` and `pip install -e` this external dependency, which introduces a significant supply chain risk. While the provided `clawspotify` code itself does not exhibit direct malicious intent, the integrity of the skill is entirely dependent on the security of this unvetted external library, which handles sensitive Spotify session cookies (`sp_dc`, `sp_key`) stored in `~/.config/spotapi/session.json`.
- External report
- View on VirusTotal