sonos
PassAudited by ClawScan on May 1, 2026.
Overview
This Sonos skill is coherent and purpose-aligned, but users should notice that it installs an external unpinned CLI and can change playback, volume, grouping, and queues on local speakers.
This appears safe to install if you want agent-assisted Sonos control. Be aware that it can affect speakers on your local network, including playback, volume, grouping, and queues, and that it installs the Sonos CLI from an external Go module using @latest.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change what is playing, adjust volume, alter groups, or clear a speaker queue if asked or if it decides the action is relevant.
The skill documents commands that can change playback, volume, grouping, and queues on local Sonos speakers. This is expected for the stated purpose, but users should be aware the agent can invoke device-control commands.
`sonos play|pause|stop --name "Kitchen"`; `sonos volume set 15 --name "Kitchen"`; `sonos queue list|play|clear`
Install only if you want the agent to control local Sonos speakers, and review prompts carefully before allowing disruptive actions such as queue clearing or volume changes.
If you configure Spotify credentials, the Sonos CLI may use them for Spotify-related search features.
The skill may use optional Spotify API credentials for music search. This is purpose-aligned, and the artifacts do not show hardcoding, logging, or unrelated use of those credentials.
Spotify Web API search is optional and requires `SPOTIFY_CLIENT_ID/SECRET`.
Use limited-purpose Spotify API credentials where possible and avoid sharing or pasting secrets into conversations unless needed.
A future install could receive a newer version of the Sonos CLI than the one originally reviewed.
The skill installs an external Go module using the mutable @latest version. This is disclosed and matches the Sonos CLI purpose, but the installed code is not pinned to a specific version in the artifacts.
go | module: github.com/steipete/sonoscli/cmd/sonos@latest | creates binaries: sonos
Prefer a pinned module version if reproducibility matters, and install from sources you trust.