ClawHub

Music Identify

v1.2.0

Identify songs from audio clips using AudD API and optionally queue them to Spotify. Triggers on /songsearch command, voice messages with song identification...

0· 121·0 current·0 all-time
by@playoffp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation. The included scripts call AudD (api.audd.io) and Spotify endpoints only, and the workflow (identify then optionally queue on Spotify) is coherent with the declared purpose.
Instruction Scope
Instructions and scripts read/write local files: AudD API key at ~/.config/audd/api_key, Spotify credentials/tokens under ~/.config/spotify/, and append to memory/music-log.json. They also instruct saving audio temporarily (e.g., /tmp). This is expected for the feature but is a privacy consideration because identified-song history and OAuth tokens are stored locally.
Install Mechanism
No install spec; this is an instruction-only skill with shipped scripts (bash + one small Python auth server). Nothing is downloaded from external or untrusted URLs and no archive extraction occurs.
Credentials
No environment variables are required, but the skill requires filesystem-stored credentials and tokens under the user's home (~/.config). That is proportional to the Spotify/AudD integrations, but users should be aware these files contain secrets and must be protected (the SKILL.md recommends chmod 600).
Persistence & Privilege
Skill does persistent writes only to its own expected places: ~/.config/audd, ~/.config/spotify, and memory/music-log.json. The Spotify auth flow starts a local HTTP server bound to 0.0.0.0:8888 for the callback — this is typical for local OAuth but means the machine will accept incoming HTTP callbacks on that port during auth, which can be exposed if you use a public tunnel. always:false and no cross-skill config modification.
Assessment
This skill appears to do what it says, but before installing consider: - It stores secrets as files: AudD API key (~/.config/audd/api_key) and Spotify credentials/tokens (~/.config/spotify/). Make sure those files are created with restrictive permissions (chmod 600) and store only credentials you trust. - The Spotify auth script runs a temporary HTTP server bound to 0.0.0.0:8888 to receive the OAuth callback. If you expose that port via a public tunnel (ngrok, Tailscale Serve, etc.), anyone who can reach it could attempt to hit the callback; prefer using a local-only redirect URI or ensure the tunnel is private. - The skill appends identifications to memory/music-log.json; this creates a persistent local history of songs you asked about. If that is sensitive, periodically rotate or delete the file or change where it is written. - AudD requests audio files to api.audd.io; check AudD's privacy/retention policy before sending audio you consider private. Also keep track of API usage limits/costs. - The scripts are plain and readable (no obfuscated code). If you have stricter security requirements, inspect the scripts yourself before running and consider running the auth flow on an isolated machine. If these behaviors are acceptable (local credential files, local log, and a temporary auth server), the skill is coherent and can be used. If you are uncomfortable with any of the above, do not install or modify the scripts to match your security posture (for example, change the redirect URI to a localhost-only address, encrypt stored tokens, or change the memory log location).

Like a lobster shell, security has layers — review code before you run it.

latestvk976qymhfknbp34k5j78bjsgtx83gdxa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments