Spotify Playlist Curator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent Spotify playlist tool, but users should notice that it needs Spotify account access, stores tokens and taste preferences locally, contacts music metadata services, and installs Python packages during setup.
This skill appears purpose-aligned for Spotify playlist curation. Before installing, be comfortable granting Spotify OAuth scopes that can read listening data and modify playlists/playback, keep the local token file private, understand that recommendations may use ReccoBeats and MusicBrainz, and run setup in the intended skill directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked for those actions, the agent can change playlists or queue tracks on the user's Spotify account.
This shows the skill can perform side-effecting Spotify actions, while also documenting user-intent guardrails for those actions.
Do not modify existing playlists unless the user explicitly asks. Use queue only for explicit queue requests.
Confirm the target playlist, tracks, and visibility before allowing adds/removes/updates, and prefer creating a new playlist unless you intentionally want an existing playlist changed.
The skill can access sensitive Spotify listening data and make account changes within the granted Spotify scopes.
The skill uses Spotify OAuth with permissions to read private/listening data and modify playlists/playback, and it persists refresh/access token metadata locally.
writes a token file containing the refresh token and access token metadata ... user-modify-playback-state ... playlist-read-private ... playlist-modify-public ... playlist-modify-private ... user-read-recently-played
Only authenticate if you trust the skill with those Spotify permissions, keep the token file private, and revoke the Spotify app authorization if you stop using it.
Future installs may pull newer dependency versions with different behavior or vulnerabilities.
The dependency file lists package names without version pins, so setup can resolve different package versions over time.
spotipy requests
Run setup in the provided venv, consider pinning dependency versions, and review dependency provenance if using this in a sensitive environment.
Saved preferences can affect future playlists and may preserve taste information longer than expected.
The skill intentionally maintains persistent preference memory that can influence future recommendations.
When the user expresses a taste preference ... save it to the taste profile so it persists across sessions.
Review or clear the taste profile if preferences change, and avoid storing sensitive personal notes as music preferences.
Some music choices or artist lookups may be sent to third-party music metadata APIs.
The recommendation flow uses external services for audio features and artist genre metadata, which can reveal selected track IDs or artist names.
Recommendations and audio features now come from ReccoBeats (api.reccobeats.com). No auth required ... Genre-based filtering ... uses MusicBrainz ... cached to disk for 30 days.
Use the recommendation and genre-analysis features only if you are comfortable with those external lookups.
A user may not realize from the registry metadata alone that setup requires Spotify developer credentials and OAuth consent.
The registry metadata does not surface the Spotify credential/OAuth requirement that is described in the setup files.
Required env vars: none; Env var declarations: none; Primary credential: none
Read the setup documentation before installing; the skill publisher should declare the Spotify credential and OAuth requirements in metadata.