spongo
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Spotify terminal-control skill is mostly coherent, but it asks to import Chrome browser cookies for authentication without enough scoping or credential-handling detail.
Review this skill before installing. It is coherent for Spotify terminal control, but the `spogo` cookie-import setup is sensitive: only proceed if you trust the external CLI and are comfortable letting it read Chrome browser cookies for authentication.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The Spotify CLI may gain access through browser session cookies, which could expose more sensitive account/session material than a normal scoped OAuth setup if mishandled by the external tool.
This tells the user or agent to authenticate by importing Chrome browser cookies. Browser cookies/session stores are sensitive local credential material, and the artifacts do not clearly bound which cookies are accessed, how they are stored, or how access is revoked.
spogo setup - Import cookies: `spogo auth import --browser chrome`
Only run cookie import if you trust `spogo` and understand what it imports; prefer a documented OAuth/config flow when available and revoke or clear imported credentials when no longer needed.
If invoked at the wrong time, the agent could change playback state, select a device, or like a track on the user's Spotify account.
The skill documents commands that can control playback, switch Spotify Connect devices, and modify liked tracks. These actions fit the stated Spotify-control purpose, but they are still account-affecting actions.
- Playback: `spogo play|pause|next|prev` - Devices: `spogo device list`, `spogo device set "<name|id>"` - Like track: `spotify_player like`
Use the skill for explicit Spotify requests and review actions that change devices or library state.
The installed CLI tools will run locally and may handle Spotify authentication, so their trustworthiness matters.
The skill's functionality depends on external Homebrew packages, including a third-party tap for `spogo`. This is disclosed and central to the skill, but provenance and package behavior are outside the provided artifact set.
"install":[{"id":"brew","kind":"brew","formula":"spogo","tap":"steipete/tap","bins":["spogo"]},{"id":"brew","kind":"brew","formula":"spotify_player","bins":["spotify_player"]}]Install only from trusted Homebrew sources, verify the packages you are installing, and keep them updated.