Devialet Speaker Control
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims—control Devialet and Spotify playback—but users should notice its local speaker control, desktop automation, and optional Spotify token storage.
This skill is reasonable to install if you want local Devialet/Spotify control. Use it on a trusted network, verify the speaker IP before sending commands, be aware that Spotify search playback may automate your desktop with xdotool, and protect or revoke Spotify token files if you use the optional Web API helper.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A play request may send an Enter key to the active desktop session, so an unexpected focused window could receive that keystroke.
For search playback, the script controls Spotify through D-Bus and sends an Enter keypress via xdotool. This is aligned with selecting a Spotify result, but it is desktop automation rather than a purely scoped media API call.
dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify ... string:"spotify:search:$encoded" export DISPLAY=:0 xdotool key Return 2>/dev/null || true
Use in a normal logged-in desktop session with Spotify available, and prefer explicit Spotify URIs when you want to avoid search-result or focus ambiguity.
If you use the Spotify API helper, the skill can read and change Spotify playback using a saved token.
The optional Spotify Web API helper expects local Spotify client credentials and stores OAuth tokens with playback read/modify scopes. This is purpose-aligned, but it grants account playback authority and is not reflected in the registry credential fields.
SPOTIFY_CREDS="$CONFIG_DIR/spotify.json" SPOTIFY_TOKEN="$CONFIG_DIR/spotify_token.json" local SCOPES="user-read-playback-state user-modify-playback-state user-read-currently-playing"
Only create the Spotify credential/token files if you need Web API control, keep them private, and revoke the Spotify app token if you stop using the skill.
Installation may fail or behave unexpectedly until the local tools, speaker IP, and optional Spotify setup are configured.
The skill documentation lists local setup requirements, while the registry metadata declares no required binaries, environment variables, credentials, or config paths. This is an under-declared setup contract, not evidence of hidden behavior.
Set the `DEVIALET_IP` environment variable... For Spotify integration: install Spotify desktop app, playerctl, and xdotool
Before installing, confirm the speaker IP and required local tools are available; if using Spotify API support, also account for the local credential and token files.