Spotify-Linux
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: spotify-cachyos-linux Version: 1.0.1 The skill provides legitimate functionality for controlling the Spotify desktop client on Linux via MPRIS DBus. It includes instructions in SKILL.md and a helper script in scripts/launch_spotify.sh to launch the application, manage playback, and adjust volume. The use of 'ps aux' to discover the Xauthority path is a common technique for enabling GUI applications to run from automated environments and does not indicate malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can play, pause, skip, open Spotify URIs, and adjust volume in the local Spotify desktop client.
The skill instructs use of DBus commands to directly control Spotify playback. This is central to the stated purpose, but it gives the agent the ability to change what is playing.
dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify ... org.mpris.MediaPlayer2.Player.PlayPause
Use this skill only when you want the agent to control Spotify, and ask it to confirm before changing playback if that matters to you.
The launched Spotify process will run in the user's active graphical session, not an isolated environment.
The helper script discovers and exports the local X11/Wayland authorization path so Spotify can start in the active desktop session. This is purpose-aligned but uses local session authority.
XAUTHORITY=$(ps aux | grep -E 'Xwayland|Xorg' ... grep -oP '\-auth \S+' ...) export DISPLAY=:0 export XAUTHORITY
Only use this on a trusted local Linux desktop session, and avoid running it in shared or privileged sessions where display access should be tightly controlled.
The skill may fail or behave unexpectedly on non-Linux systems or systems without Spotify, dbus-send, or a usable XAUTHORITY session.
The registry metadata does not declare the Linux-specific binaries/session requirements described in SKILL.md, so automated installation checks may not catch missing or incompatible prerequisites.
Required binaries (all must exist): none ... Env var declarations: none ... OS restriction: none
Before using it, verify you are on Linux with the Spotify desktop client, DBus tools, and an active graphical session available.
Spotify may continue running after the agent task or OpenClaw session ends.
The skill intentionally launches Spotify detached from the agent process tree. This is disclosed and aligned with launching a desktop app, but it creates a persistent local process.
Launch with setsid (fully detached, survives agent restarts)
If you do not want Spotify to remain active, close Spotify manually or ask the agent to stop playback after use.