Media Orchestrator
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill generally matches its media-downloading purpose, but it can download files, send them through WhatsApp/Telegram, and relies on an external Spotify helper you should verify.
Install this only if you want your agent to download media and send it through configured chat platforms. Verify yt-dlp, OpenClaw messaging, and the spotify-surface helper are trusted and available, and consider adding recipient confirmation, file-size limits, and cleanup rules for downloaded media.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A media request can cause the agent to download external audio or video into the local OpenClaw workspace.
The skill invokes a local downloader with a user-provided search query and writes the resulting file into the workspace. This is central to the media-download purpose and uses argument lists rather than a shell, but it is still local command execution with network/download effects.
yt_dlp_command = ["python3", "-m", "yt_dlp"] ... ["-o", str(download_path), f"ytsearch1:{query}"]Use it only for intended media requests, and consider adding size, format, source, and cleanup limits if storage or bandwidth matters.
If invoked with a target, the skill can send media or text from your configured chat integration to that recipient.
The script sends files or messages through OpenClaw's WhatsApp/Telegram messaging integration. That is expected for this skill, but it uses whatever chat-sending authority is configured in the environment.
cmd_prefix = ["openclaw", "message", "send"] ... cmd_prefix.extend(["--channel", "whatsapp", "--target", target]) ... cmd_prefix.extend(["--media", file_path])
Confirm that only trusted agents can invoke this skill and that chat targets are derived from the requesting conversation, not arbitrary model output.
Spotify requests will depend on whatever spotify-surface script is installed locally, so its behavior may differ from the reviewed files here.
Spotify handling delegates to another local skill script that is not included in this artifact set or declared in an install spec. The SKILL.md discloses the spotify-surface component, so this is a provenance/dependency note rather than hidden behavior.
spotify_script_path = workspace / "skills" / "spotify-surface" / "scripts" / "spotify_surface.py" ... cmd = ["python3", str(spotify_script_path), source, query]
Review and install the spotify-surface dependency from a trusted source before relying on Spotify functionality.
Spotify metadata may remain in the workspace and be reused by the WebUI after the original request.
The skill describes persistent Spotify metadata stored in the workspace for later WebUI playback. This appears purpose-aligned and is not credential storage, but it is persistent state derived from external media metadata.
persists this data as a JSON contract in the workspace ... Stores Spotify track contracts (e.g., `track_id.json`)
Keep the metadata directory scoped to media data, and periodically clear it if you do not want playback metadata retained.