spongo
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: spongo Version: 1.0.0 The skill provides instructions for using legitimate terminal Spotify clients (`spogo` and `spotify_player`). The most sensitive action, `spogo auth import --browser chrome`, accesses browser cookies for local authentication with Spotify, which is a core, stated function of the `spogo` tool. There is no evidence of data exfiltration to external endpoints, malicious execution, persistence mechanisms, or prompt injection attempts to subvert the agent's behavior beyond the stated purpose. All commands and installation steps (via `brew`) are standard and align with the skill's description in `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The Spotify CLI may gain access through browser session cookies, which could expose more sensitive account/session material than a normal scoped OAuth setup if mishandled by the external tool.
This tells the user or agent to authenticate by importing Chrome browser cookies. Browser cookies/session stores are sensitive local credential material, and the artifacts do not clearly bound which cookies are accessed, how they are stored, or how access is revoked.
spogo setup - Import cookies: `spogo auth import --browser chrome`
Only run cookie import if you trust `spogo` and understand what it imports; prefer a documented OAuth/config flow when available and revoke or clear imported credentials when no longer needed.
If invoked at the wrong time, the agent could change playback state, select a device, or like a track on the user's Spotify account.
The skill documents commands that can control playback, switch Spotify Connect devices, and modify liked tracks. These actions fit the stated Spotify-control purpose, but they are still account-affecting actions.
- Playback: `spogo play|pause|next|prev` - Devices: `spogo device list`, `spogo device set "<name|id>"` - Like track: `spotify_player like`
Use the skill for explicit Spotify requests and review actions that change devices or library state.
The installed CLI tools will run locally and may handle Spotify authentication, so their trustworthiness matters.
The skill's functionality depends on external Homebrew packages, including a third-party tap for `spogo`. This is disclosed and central to the skill, but provenance and package behavior are outside the provided artifact set.
"install":[{"id":"brew","kind":"brew","formula":"spogo","tap":"steipete/tap","bins":["spogo"]},{"id":"brew","kind":"brew","formula":"spotify_player","bins":["spotify_player"]}]Install only from trusted Homebrew sources, verify the packages you are installing, and keep them updated.