Spotify
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a plausible Spotify controller, but it tells the agent to run a missing local Python script with Spotify/Keychain access, so the real behavior is not reviewable from the package.
Treat this as a review-before-use skill. It appears intended for Spotify control, but the package does not include the Python script it tells the agent to run. Before installing, verify the actual helper code from the homepage or another trusted source, check the Spotify OAuth scopes, use a dedicated Spotify developer app if possible, and require confirmation for playlist-changing actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may try to run unreviewed local code under the user's account, potentially with Spotify credentials once configured.
The provided manifest contains only SKILL.md and no reviewed spotify.py helper, yet the skill’s primary workflow depends on executing that missing local script.
> **ALWAYS run `python3 ~/.openclaw/scripts/spotify.py [cmd]`** — never respond with text only.
Only enable this after obtaining the actual spotify.py from a trusted source, reviewing it, and confirming it is installed where the skill expects.
The helper could gain authority to read Spotify library/listening data and change playback or playlists, but the reviewed package does not show how that access is limited.
The skill requires persistent Spotify app credentials and an OAuth login, but the registry declares no credential contract and the supplied artifacts do not show OAuth scopes or token handling.
Credentials via macOS Keychain ... `security add-generic-password -a openclaw -s openclaw.spotify.client_secret -w "CLIENT_SECRET"` ... First auth — run `now`, browser opens, log in once
Use a dedicated Spotify developer app, inspect the helper’s OAuth scopes and token storage, and revoke the app’s access if you stop using the skill.
A mistaken or over-broad request could alter playlists, queue music, or change playback state.
These commands can mutate the user's Spotify account by creating or modifying playlists; this is purpose-aligned, but it is still account-changing authority.
`make-playlist "Top March 2026" short 20` ... `create-playlist "My Playlist" "Description"` ... `add-to-playlist PLAYLIST_ID URI1 URI2`
Ask the agent to confirm before creating playlists, adding tracks, changing volume, or queueing many items.
Installing or running the helper may bring in external Python code that was not analyzed in the provided artifact set.
The skill documents installing a Python package and running Python commands. That is expected for a Spotify API helper, but the dependency is not version-pinned and is not represented in the registry install spec.
"install": [{ "id": "pip", "kind": "pip", "package": "spotipy", "label": "Install spotipy (pip)" }]Install dependencies from trusted package sources, prefer pinned versions, and review the helper before first use.