ClawHub

last.fm

v1.0.0

Provides detailed music data and user info from Last.fm, including artists, albums, tracks, charts, tags, and user listening stats via Last.fm API.

2· 1.5k·0 current·0 all-time
by@keyfrog-21k
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md clearly documents Last.fm API methods and example requests — this matches the skill name and expected purpose. However, the instructions say a Last.fm API key is required, while the registry metadata declares no required environment variables or primary credential. That mismatch is unexpected (the skill should declare how it expects the API key to be supplied).
Instruction Scope
The runtime instructions are limited to constructing HTTP requests to the official Last.fm API endpoint (ws.audioscrobbler.com). There are no instructions to read local files, access unrelated system state, or transmit data to third-party endpoints beyond Last.fm.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest-risk install model because nothing is written to disk by the skill itself.
!
Credentials
The SKILL.md explicitly requires a Last.fm API key, but requires.env and primary credential are empty in the metadata. That means the skill's expected secret handling is unspecified: a user might be prompted to paste a key into a conversation or store it in an agent env var without guidance. Because the skill can be invoked by the model autonomously (default), an undisclosed key could be used without clear user control. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not request system-level configuration. Note: model invocation is enabled by default (disable-model-invocation: false), which is normal — if you prefer to avoid autonomous network calls using any provided API key, consider disabling autonomous invocation for the agent.
What to consider before installing
This skill appears to be a simple Last.fm API helper, but before installing: 1) Confirm the publisher/source (there is no homepage or origin listed). 2) The SKILL.md requires a Last.fm API key, yet the skill metadata doesn't declare how that key should be provided — ask the publisher or avoid storing the key in a global env variable. 3) If you supply an API key, prefer entering it only when needed (or store it under a scoped secret) and consider disabling autonomous invocation so the agent cannot call the API without explicit user consent. 4) If you need stronger assurance, request a version with explicit metadata declaring the required credential and a verified homepage or repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk973c385m4ympnxamyke169vfh80jc0n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments