Last.fm
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill coherently provides read-only Last.fm API examples, with the main cautions that it asks for a Last.fm API key/username and uses HTTP curl URLs.
This appears safe to use as a read-only Last.fm helper. Before installing or invoking it, be aware that it needs your Last.fm API key and username despite the registry metadata not declaring them, and prefer HTTPS API URLs if they work for Last.fm.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent or user may make outbound requests to Last.fm to retrieve listening data and music metadata.
The skill's main mechanism is issuing curl GET requests to an external Last.fm API endpoint. This is purpose-aligned and read-oriented, but it is still external network tool use with user-provided parameters.
curl -s "http://ws.audioscrobbler.com/2.0/?method=user.getrecenttracks&user=$LASTFM_USER&api_key=$LASTFM_API_KEY&format=json&limit=10"
Use the skill only for intended Last.fm lookups, review generated methods and limits, and prefer HTTPS endpoints if Last.fm supports them.
Anyone using the skill must provide Last.fm account-related configuration, and the API key may be included in outbound request URLs.
The skill requires a Last.fm API key and username and sends them in API query parameters. This is expected for the integration, but the registry metadata does not declare required env vars or a primary credential.
`LASTFM_API_KEY` — your Last.fm API key ... `LASTFM_USER` — your Last.fm username ... `?api_key=$LASTFM_API_KEY&format=json&user=$LASTFM_USER`
Only configure these values if you want the integration, keep the API key out of shared logs/screenshots, rotate it if exposed, and check whether HTTPS can be used for the API base URL.