ClawHub

Mopidy Party Mode

v1.0.4

Run a Mopidy music system in party mode for shared or group chats, where everyone can contribute songs but only the host can control playback. Use by default...

0· 36·0 current·0 all-time
by@grantmacnamara
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Mopidy party-mode) match the included scripts and instructions. Required binaries (curl, jq, python3) and the single required env var (MOPIDY_URL) are appropriate for controlling a remote Mopidy JSON-RPC endpoint.
Instruction Scope
SKILL.md restricts guest actions and documents host-only controls; included scripts provide full Mopidy JSON-RPC operations (play, pause, next, clear, etc.). This is coherent (the skill exposes the operations but the policy enforces restrictions), but note the scripts call curl with -k (curl -ksS) which disables TLS certificate validation and can expose the connection to MitM attacks if MOPIDY_URL is not trusted.
Install Mechanism
No install spec (instruction-only) — low-risk from install perspective. Code files are bundled with the skill and are simple shell/Python scripts; nothing is downloaded or extracted at install time.
Credentials
Only MOPIDY_URL is required; this is proportional and expected. No unrelated secrets, config paths, or third-party credentials are requested.
Persistence & Privilege
always:false and normal autonomous invocation defaults are used. The skill does not request elevated or permanent system presence or modify other skills' configs.
Assessment
This skill appears to do what it claims: it sends JSON-RPC requests to the Mopidy endpoint you provide and enforces a guest/host policy in its text. Before installing, verify the MOPIDY_URL you provide points to a trusted Mopidy host (don't expose a public or untrusted endpoint). Prefer using a valid TLS certificate on the Mopidy server because the provided scripts call curl with -k (which disables certificate validation) — either remove the -k in the script or ensure you host Mopidy with a trusted cert. Also confirm your agent honors the SKILL.md host-only rules (guests shouldn't be able to trigger playback) and consider chat-side permissions so only designated hosts can authorize disruptive actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kk14zmjwe3yyxnypwfegm18423cx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq, python3
EnvMOPIDY_URL

Comments