ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spotify Player

Spotify CLI for headless Linux servers. Control Spotify playback via terminal using cookie auth (no OAuth callback needed). Perfect for remote servers withou...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 2k · 3 current installs · 3 all-time installs
byshaharsh@Shaharsha
duplicate of @Shaharsha/spogo-linux
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the skill documents using spogo (Spotify CLI) with cookie auth for headless servers. Requiring the spogo binary and instructing how to install it with `go install` is coherent with the stated purpose. Minor inconsistency: the registry shows 'no install spec' while SKILL.md metadata includes a go install step—this is explainable but should be noted.
!
Instruction Scope
Most instructions stay on-purpose (install Go, `go install` spogo, create config and cookie JSON). The 'browser fallback' guidance instructs opening the user's browser profile and automating a Play click (`browser open ... profile=openclaw`), which may require access to the user's browser profile/state. That step could expose or act on browser state beyond the minimal task; the SKILL.md claims it doesn't extract additional cookies, but that is a declarative claim the runtime/agent would need to honor. Also examples use root paths (e.g., /root/.config/...) and `sudo ln -s`, which can encourage running installation steps with elevated privileges unnecessarily.
Install Mechanism
No official install spec in registry, but SKILL.md encourages `go install github.com/steipete/spogo/cmd/spogo@latest` (compiles/fetches source from GitHub). This is a common way to install Go CLIs but still involves fetching and building remote code—moderate trust is required in the upstream repo. The included Go download URL (https://go.dev/dl/) is legitimate. Overall install approach is proportionate to the claimed purpose but carries the usual risk of running freshly-built code from a remote repo.
Credentials
The skill requests no environment variables but does require the user's Spotify cookies (sp_dc and sp_t). Those are necessary for cookie auth and proportionate to the feature, but they are sensitive credentials (the SKILL.md itself warns to treat them as secrets). The explicit instruction to place cookie files in ~/.config/spogo/cookies/ is expected but requires the user to trust local storage and the spogo binary.
Persistence & Privilege
The skill does not request always: true, does not demand persistent system-wide privileges, and does not declare modifications to other skills or global agent settings. It suggests creating files in the user's home config directory only (though examples show root paths). Autonomous invocation is allowed (default) but that is the platform norm.
What to consider before installing
This skill documents how to use the spogo CLI and how to authenticate by copying your Spotify cookies. That is coherent, but before installing or running it you should: (1) review the upstream GitHub repository (steipete/spogo) and its source to ensure you trust the code you will build with `go install`; (2) avoid running install steps as root—install in your user account and add ~/go/bin to PATH instead of symlinking to /usr/local with sudo; (3) be cautious when using the 'browser fallback'—it asks the agent to open a browser profile and click Play, which could access browser state; prefer starting playback on a device you control manually rather than giving an agent automated access; (4) treat sp_dc and sp_t as secrets: store them only on devices you trust and delete them if you suspect compromise; (5) if you need stronger isolation, consider using an OAuth flow on a machine where a localhost callback is possible or run spogo in a dedicated, isolated environment after auditing the binary/source. If you want me to, I can (a) fetch and summarize the steipete/spogo repo contents for review, or (b) point out exactly which commands in the SKILL.md would need elevated privileges so you can avoid them.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk973vd4r0c0tz5p6b61sbwrz15814vgv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
Any binspogo

SKILL.md

Spogo - Spotify CLI for Linux Servers

Control Spotify from headless Linux servers using cookie-based auth. No OAuth callback needed - perfect for remote servers.

Why This Skill?

The original spotify-player skill by steipete on ClawHub assumes local browser access for cookie import (spogo auth import --browser chrome). On headless Linux servers without a local browser, this doesn't work.

This skill documents the cookie-based workaround - copy 2 browser cookies and you're done. No OAuth, no localhost needed.

Requirements

  • Spotify Premium account
  • Go 1.21+ installed
  • User's Spotify browser cookies

Installation (Linux)

1. Install Go (if not installed)

# Ubuntu/Debian
sudo apt update && sudo apt install -y golang-go

# Or download latest from https://go.dev/dl/
wget https://go.dev/dl/go1.23.4.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.23.4.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:~/go/bin' >> ~/.bashrc
source ~/.bashrc

2. Install spogo

go install github.com/steipete/spogo/cmd/spogo@latest

This installs to ~/go/bin/spogo. Add to PATH if needed:

sudo ln -s ~/go/bin/spogo /usr/local/bin/spogo

3. Verify

spogo --version
# spogo v0.2.0

Setup (Cookie Auth)

Since OAuth requires localhost callback (impossible on remote servers), we use cookie auth instead.

1. Get cookies from browser

Have the user open DevTools → Application → Cookies → open.spotify.com and copy:

  • sp_dc - Main auth token (long string, required)
  • sp_t - Device ID (UUID format, required for playback)

2. Create config

Create ~/.config/spogo/config.toml:

default_profile = "default"

[profile.default]
cookie_path = "/root/.config/spogo/cookies/default.json"
market = "IL"
language = "en"

3. Create cookies file

Create ~/.config/spogo/cookies/default.json:

[
  {
    "name": "sp_dc",
    "value": "USER_SP_DC_VALUE",
    "domain": ".spotify.com",
    "path": "/",
    "expires": "2027-01-01T00:00:00Z",
    "secure": true,
    "http_only": true
  },
  {
    "name": "sp_t",
    "value": "USER_SP_T_VALUE",
    "domain": ".spotify.com",
    "path": "/",
    "expires": "2027-01-01T00:00:00Z",
    "secure": false,
    "http_only": false
  }
]

4. Verify

spogo auth status
# → "Cookies: 2 (file)"

Commands

# Search
spogo search track "query"
spogo search track "query" --json --limit 5

# Play
spogo play spotify:track:ID
spogo play                    # Resume
spogo pause
spogo next / spogo prev

# Devices
spogo device list --json
spogo device set "DEVICE_ID"

# Status
spogo status
spogo status --json

"missing device id" Error - Browser Fallback

spogo needs an active Spotify session. If no device played recently:

  1. Open track in browser:
browser open https://open.spotify.com/track/TRACK_ID profile=openclaw

  1. Click Play via browser automation

  2. Transfer to target device:

spogo device set "DEVICE_ID"

The browser profile stays logged in (cookies persist). Session stays active for hours after playback.

Rate Limits

  • Connect API (default): No rate limits ✓
  • Web API (--engine web): Rate limited (429 errors)
  • For library access when rate limited → use browser automation

Troubleshooting

"missing device id"

No active Spotify session. Use browser fallback (see above) to start playback first.

"401 Unauthorized"

Cookies expired. Get fresh cookies from browser and update the JSON file.

Commands work but no sound

Check spogo device list - playback might be on wrong device. Use spogo device set "DEVICE_ID" to switch.

Security & Privacy

  • Cookie handling: sp_dc and sp_t are stored locally in ~/.config/spogo/cookies/ — treat them as secrets, never log or share them
  • Network access: spogo only communicates with Spotify APIs (api.spotify.com, open.spotify.com)
  • Browser fallback: Optional — only used when no active Spotify device exists. Uses the agent's browser profile to open open.spotify.com and click Play. This does NOT extract additional cookies or access other browser state
  • Install source: go install from the official steipete/spogo GitHub repository — open source, auditable

Notes

  • Cookie expiry: ~1 year, but may invalidate if user logs out or changes password
  • Premium required: Free accounts can't use Connect API
  • Market setting: Change market in config for correct regional availability (IL, US, etc.)

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…