SpotiClaw
PassAudited by ClawScan on May 1, 2026.
Overview
SpotiClaw appears to be a disclosed Spotify API client, but it gives the agent OAuth-based read/write access to parts of your Spotify account.
Install this only if you want your agent to interact with and potentially modify your Spotify account. Keep the Spotify client secret and .spotify_cache file private, authorize only scopes you are comfortable with, and revoke the Spotify app if you stop using the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and configured, the agent can use your Spotify identity for the scopes granted during OAuth.
The skill requires Spotify app credentials and an OAuth token cache, giving the agent delegated access to the user's Spotify account.
Requires SPOTIFY_CLIENT_ID, SPOTIFY_CLIENT_SECRET, SPOTIFY_REDIRECT_URI, and a local .spotify_cache token file.
Use a Spotify app you control, review the OAuth scopes before authorizing, protect the .env and .spotify_cache files, and revoke the app from Spotify if you no longer use the skill.
The agent can change playback, playlists, and saved library items if prompted or allowed to use these primitives.
The implementation exposes mutating Spotify API actions such as removing library items and creating playlists. This matches the stated Spotify client purpose, but it can change account data.
def remove(uris: list[str]) -> dict: ... requests.delete(url, headers=_headers(), params={"uris": ",".join(uris)}) ... def create(name: str, description: str = "", public: bool = False) -> dict: return post("/me/playlists", name=name, description=description, public=public)Give explicit instructions for account-changing actions, and review playlist/library changes before asking the agent to perform bulk edits or public playlist updates.
Future installs may receive newer dependency versions than the author originally tested.
The setup uses external Python packages without version pins. These are common and purpose-aligned dependencies, but unpinned packages can change over time.
requests python-dotenv
Install in a virtual environment and consider pinning known-good versions if you need reproducible or higher-assurance deployments.