Spotify Connect
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s Spotify playback control behavior is coherent and disclosed, with ordinary notes around local OAuth token storage and an auto-installed Python dependency.
This looks like a normal Spotify Connect integration. Before installing, confirm you are comfortable saving Spotify OAuth tokens locally, giving the skill playback-control scopes, and letting uv install the Spotipy dependency. Use the logout command to remove accounts you no longer want available to the agent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A saved Spotify profile can be used to pause, play, skip, change volume, and transfer playback on that Spotify account’s available devices.
The script requests Spotify OAuth scopes that allow reading playback state and changing playback. These permissions are directly aligned with controlling Spotify Connect devices.
SCOPES = "user-modify-playback-state user-read-playback-state user-read-currently-playing"
Use a Spotify app you control, keep the client secret private, and remove profiles with the logout command when you no longer want the skill to control that account.
Anyone with access to the user’s local OpenClaw config files could potentially access the cached Spotify authorization material.
The skill persists OAuth tokens for named Spotify accounts so it can continue to operate without re-authenticating each time. This is disclosed and expected for the integration.
This creates a named account profile with auto-refreshing token.
Protect the local ~/.openclaw/spotify-connect directory and avoid authenticating accounts you do not want the agent to control.
Future dependency updates could change behavior compared with what was reviewed here.
The script relies on uv to install Spotipy using a lower-bound version instead of a pinned exact version. This is normal integration plumbing, but it leaves dependency contents dependent on the package index at install/run time.
dependencies = ["spotipy>=2.24.0"]
Prefer pinned dependency versions or review the resolved package version before first use if supply-chain stability matters.