Skillv2.0.1

ClawScan security

Spotify · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 16, 2026, 9:25 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions ask the agent to run a local script and to store Spotify credentials in macOS Keychain, but the package provides no install or code and fails to declare OS/credential requirements — this mismatch is suspicious and should be inspected before use.
Guidance: Do not install or run this skill without verifying the missing pieces. Specifically: (1) confirm the repository/source actually provides ~/.openclaw/scripts/spotify.py and inspect its source code to ensure it only does the expected Spotify API and app-control actions, (2) verify the install steps (how the script gets installed) and prefer an explicit, packaged install procedure rather than ad hoc local scripts, (3) be aware this is macOS-specific (uses Keychain and likely AppleScript) — the registry did not declare an OS restriction, (4) only add your Spotify client_id/client_secret to Keychain after auditing the script so you know keys won't be exfiltrated, and (5) request the publisher add explicit install metadata, declare required credentials/OS, or bundle the script so you can review it. If you cannot verify the script/source, treat this skill as unsafe to use.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a local script (~/.openclaw/scripts/spotify.py) that provides full Spotify control and uses macOS Keychain for credentials, but the registry bundle contains no code and no declared OS restriction. The described capabilities (auto-launching Spotify, keychain access, local script execution) are plausible for a Spotify helper, but the skill does not include the script or clearly declare that macOS and a local script are required.
Instruction Scope: concernRuntime instructions explicitly demand executing a local script path and adding client_id/client_secret to the macOS Keychain. The skill tells the agent to 'ALWAYS run python3 ~/.openclaw/scripts/spotify.py [cmd]' which gives the agent permission to execute arbitrary local code that is not supplied with the skill. The instructions also direct storing secrets with the macOS security CLI — credential handling is present but not declared in the registry metadata.
Install Mechanism: concernThe registry lists no install spec and there are no code files, yet the SKILL.md metadata includes an install entry for the pip package 'spotipy'. Spotipy is a reasonable dependency, but it does not provide the referenced local script. This mismatch (no install, no code, but instructions that require a script) is inconsistent and increases risk because the expected script could come from an unverified external source or require manual installation steps not documented in the registry.
Credentials: concernThe skill requires Spotify client_id/client_secret stored in macOS Keychain (instructions show using 'security add-generic-password'), but the registry metadata lists no required credentials or primaryEnv. Asking for client credentials is proportionate to the task, but the absence of declared credential requirements and OS restriction is a misalignment and could lead to unexpected secret storage/exposure if the script's behavior is not audited.
Persistence & Privilege: concernAlthough always:false and no autonomous elevation flags are set, the instruction to always execute a local script (which the skill does not ship) effectively grants the agent permission to run arbitrary local code whenever invoked. That creates a potentially large blast radius if the referenced script is malicious or replaced — a persistent implicit dependency without provenance is risky.