Spotify-Linux
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can play, pause, skip, open Spotify URIs, and adjust volume in the local Spotify desktop client.
The skill instructs use of DBus commands to directly control Spotify playback. This is central to the stated purpose, but it gives the agent the ability to change what is playing.
dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify ... org.mpris.MediaPlayer2.Player.PlayPause
Use this skill only when you want the agent to control Spotify, and ask it to confirm before changing playback if that matters to you.
The launched Spotify process will run in the user's active graphical session, not an isolated environment.
The helper script discovers and exports the local X11/Wayland authorization path so Spotify can start in the active desktop session. This is purpose-aligned but uses local session authority.
XAUTHORITY=$(ps aux | grep -E 'Xwayland|Xorg' ... grep -oP '\-auth \S+' ...) export DISPLAY=:0 export XAUTHORITY
Only use this on a trusted local Linux desktop session, and avoid running it in shared or privileged sessions where display access should be tightly controlled.
The skill may fail or behave unexpectedly on non-Linux systems or systems without Spotify, dbus-send, or a usable XAUTHORITY session.
The registry metadata does not declare the Linux-specific binaries/session requirements described in SKILL.md, so automated installation checks may not catch missing or incompatible prerequisites.
Required binaries (all must exist): none ... Env var declarations: none ... OS restriction: none
Before using it, verify you are on Linux with the Spotify desktop client, DBus tools, and an active graphical session available.
Spotify may continue running after the agent task or OpenClaw session ends.
The skill intentionally launches Spotify detached from the agent process tree. This is disclosed and aligned with launching a desktop app, but it creates a persistent local process.
Launch with setsid (fully detached, survives agent restarts)
If you do not want Spotify to remain active, close Spotify manually or ask the agent to stop playback after use.