Spotify
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The Spotify CLI may gain access through browser session data; if the tool or its stored auth state is mishandled, the user’s Spotify session could be exposed or misused.
This explicitly instructs use of local Chrome browser cookies for authentication. Browser cookies are sensitive session credentials, and the artifact does not describe scope, storage, retention, or cleanup.
spogo setup - Import cookies: `spogo auth import --browser chrome`
Only import browser cookies if you trust the spogo tool and understand where it stores credentials. Prefer a clearly scoped OAuth/client-id setup if available, or use a separate browser profile and know how to revoke Spotify sessions.
If invoked unintentionally, the agent could change what is playing, switch playback devices, or alter liked tracks.
The skill can run commands that change playback, choose devices, and like tracks. These actions match the Spotify-control purpose but still mutate account state.
Playback: `spogo play|pause|next|prev`; Devices: `spogo device list`, `spogo device set "<name|id>"`; Like track: `spotify_player like`
Use the skill for explicit Spotify tasks and review account-mutating actions such as liking tracks or changing devices.
Security depends on the Homebrew packages and their maintainers, not just this instruction-only skill.
The skill depends on external Homebrew-installed CLI tools, including one from a custom tap. That is disclosed and expected for a CLI integration, but the supplied artifacts do not include the installed code.
"install":[{"id":"brew","kind":"brew","formula":"spogo","tap":"steipete/tap","bins":["spogo"]},{"id":"brew","kind":"brew","formula":"spotify_player","bins":["spotify_player"]}]Review the Homebrew formulae and upstream projects before installing, especially before importing browser cookies.