Spotify Player
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Spotify CLI helper, but it asks you to store Spotify login cookies locally and install an external Go tool, so handle the cookies and install source carefully.
Before installing, make sure you trust the upstream spogo tool, preferably pin its version, and keep the Spotify cookie file private. Do not share the sp_dc or sp_t values, and remove the local cookie file or refresh your Spotify session if you stop using the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the cookie file may be able to use the Spotify session, and the agent can use the cookies to control Spotify playback.
The skill explicitly relies on Spotify browser session cookies and stores them locally. This is expected for the stated cookie-auth Spotify control purpose, but those cookies are delegated account credentials.
Have the user open DevTools → Application → Cookies → `open.spotify.com` and copy: - `sp_dc` - Main auth token ... - `sp_t` ... Create `~/.config/spogo/cookies/default.json`
Treat the cookie file as secret, avoid pasting cookies into chats or logs, restrict local file permissions, and revoke/refresh cookies by logging out or changing the Spotify password if needed.
A future upstream change could alter what gets installed compared with what the user expected.
The install guidance fetches and builds an external Go package at the moving `@latest` version. This is normal for a CLI wrapper, but the reviewed artifacts do not include the installed code.
go install github.com/steipete/spogo/cmd/spogo@latest
Review the upstream spogo repository and consider pinning a specific version or commit before installing.
The agent may start, pause, skip, or move Spotify playback when the skill is invoked for that purpose.
The skill allows terminal execution so the agent can run Spotify playback and device-control commands. This is central to the skill’s purpose, but it means the skill can make account-visible changes to playback state.
allowed-tools: [exec] ... spogo play spotify:track:ID ... spogo pause ... spogo device set "DEVICE_ID"
Use the skill only when you want the agent to control Spotify, and confirm device changes or playback actions if they matter.