Tidal CLI
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill means trusting the external npm CLI package to run on the local machine and handle Tidal account actions.
The skill depends on an external npm package to provide the tidal-cli binary, while the supplied artifact set contains only SKILL.md and no reviewed package source.
package: "@lucaperret/tidal-cli"
Install only if you trust the npm package and publisher; consider reviewing the package source and npm metadata before authenticating.
Anyone or any process able to use that session file may be able to act on the user's Tidal account through the CLI.
The skill uses a persistent local Tidal login session, which is expected for Tidal account control but gives the CLI ongoing delegated access to the user's account.
Credentials persist at `~/.tidal-cli/session.json` and auto-refresh.
Use this only on trusted devices, protect the session file, and revoke or remove the session if the package or machine is no longer trusted.
If invoked incorrectly, the agent could remove or change playlists or library items in the user's Tidal account.
The documented CLI supports mutating and deleting Tidal account data such as playlists, playlist tracks, and library favorites.
tidal-cli --json playlist delete --playlist-id <id> tidal-cli --json playlist remove-track --playlist-id <id> --track-id <track-id> tidal-cli --json library remove --artist-id <id>
Confirm the target playlist, track, album, or artist before running rename, delete, add, or remove operations, especially destructive ones.