Back to skill
Skillv1.0.0
ClawScan security
Spotify Ab · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 4:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only informational skill about Spotify’s business and recommendations; its declared inputs and runtime instructions are coherent with that purpose and ask for no credentials or installs.
- Guidance
- This skill is essentially a packaged reference document about Spotify and appears internally consistent. It does not request credentials or install software, so it poses low technical risk. Before installing, consider: (1) source unknown—verify the content if you need authoritative, up-to-date figures (the SKILL.md may be out of date), (2) the skill provides analysis only and cannot fetch live data, and (3) allow autonomous invocation only if you are comfortable the agent can use the content without external integrations. If you need real-time or primary-source data (financial filings, Spotify API results), prefer a skill that explicitly integrates with those vetted APIs.
Review Dimensions
- Purpose & Capability
- okThe name and description promise business/algorithmic insights about Spotify and the SKILL.md provides that content. It requests no binaries, env vars, or config paths—everything required is consistent with an informational/reference skill.
- Instruction Scope
- okSKILL.md is a content/instruction document (summary + when-to-read hints). It does not direct the agent to read local files, access credentials, call external endpoints, or transmit data to unexpected locations. The instructions remain within the stated informational scope.
- Install Mechanism
- okThere is no install specification and no code files. This is the lowest-risk model: nothing is written to disk and no external packages are downloaded or executed.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate request for secrets or unrelated credentials.
- Persistence & Privilege
- okalways is false (not force-included). The skill does not ask to modify other skills or system settings. Model invocation is enabled by default, which is normal for user-invocable skills and not by itself a concern here.