Spotify
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Spotify playback workflow is understandable, but the setup asks users to install an unprovided executable with sudo and store Spotify credentials, so it needs review before use.
Before installing, make sure you can inspect and trust the actual `spotify` script, since it is not included in the reviewed artifacts. Prefer installing dependencies in a virtual environment and placing the command in a user-local bin directory. Store Spotify credentials with restrictive permissions and revoke the app/token if you stop using it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could place an unreviewed or wrong executable on their PATH, and an agent may later invoke it as `spotify`.
The package contains only SKILL.md, but the instructions install a `spotify` executable into a privileged system command path. Without the script in the artifacts, users cannot verify what code would later be run.
sudo cp spotify /usr/local/bin/spotify sudo chmod +x /usr/local/bin/spotify
Provide the actual script in the package with clear provenance, or instruct users to install only from a trusted source. Prefer a user-local install path over `/usr/local/bin` when possible.
The install step could alter or break Python packages on the device.
Installing the Python dependency is purpose-aligned, but `--break-system-packages` bypasses distribution package protections and can affect the system Python environment.
pip3 install spotipy --break-system-packages
Use a virtual environment or pipx, and consider pinning the dependency version instead of modifying system Python.
Anyone who can read the config or token cache may gain some ability to use the Spotify app integration.
The skill requires Spotify developer app credentials and OAuth authorization for playback control, stored in a local config file.
SPOTIPY_CLIENT_ID=your_client_id SPOTIPY_CLIENT_SECRET=your_client_secret SPOTIPY_REDIRECT_URI=http://127.0.0.1:8888/callback
Protect the config file, avoid sharing the device account, and revoke the Spotify developer app/token if no longer needed.
The agent may start, stop, or change music on a device logged into the user's Spotify account.
The skill gives the agent commands that can change live playback on the user's active Spotify device, which is expected for the stated purpose and partly mitigated by the instruction to confirm matches before playing.
`spotify play <song>` | Search and play a song ... `spotify pause` ... `spotify next`
Keep the search-and-confirm workflow before playback changes, especially when the request is ambiguous or multiple devices are active.