Spotify
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Spotify controls are purpose-aligned, but setup asks to import Chrome cookies for authentication without clearly scoping or documenting that sensitive credential handling.
Review this skill before installing. The Spotify playback features are coherent, but importing Chrome cookies is sensitive; install only if you trust the third-party CLI tools, understand their credential storage, and are comfortable granting Spotify session access.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The Spotify CLI may gain access through browser session data; if the tool or its stored auth state is mishandled, the user’s Spotify session could be exposed or misused.
This explicitly instructs use of local Chrome browser cookies for authentication. Browser cookies are sensitive session credentials, and the artifact does not describe scope, storage, retention, or cleanup.
spogo setup - Import cookies: `spogo auth import --browser chrome`
Only import browser cookies if you trust the spogo tool and understand where it stores credentials. Prefer a clearly scoped OAuth/client-id setup if available, or use a separate browser profile and know how to revoke Spotify sessions.
If invoked unintentionally, the agent could change what is playing, switch playback devices, or alter liked tracks.
The skill can run commands that change playback, choose devices, and like tracks. These actions match the Spotify-control purpose but still mutate account state.
Playback: `spogo play|pause|next|prev`; Devices: `spogo device list`, `spogo device set "<name|id>"`; Like track: `spotify_player like`
Use the skill for explicit Spotify tasks and review account-mutating actions such as liking tracks or changing devices.
Security depends on the Homebrew packages and their maintainers, not just this instruction-only skill.
The skill depends on external Homebrew-installed CLI tools, including one from a custom tap. That is disclosed and expected for a CLI integration, but the supplied artifacts do not include the installed code.
"install":[{"id":"brew","kind":"brew","formula":"spogo","tap":"steipete/tap","bins":["spogo"]},{"id":"brew","kind":"brew","formula":"spotify_player","bins":["spotify_player"]}]Review the Homebrew formulae and upstream projects before installing, especially before importing browser cookies.