ClawHub

Media Orchestrator

Unified skill for resolving, downloading, and delivering media (audio/video) to chat platforms. Integrates yt-dlp for resolution and handles Spotify metadata sync.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.1k · 1 current installs · 1 all-time installs
bySieer Shafi Lone@sieershafilone
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (resolve, download, deliver media) aligns with the script's behavior: it invokes yt-dlp, writes downloads to workspace, and calls the OpenClaw 'message' CLI to send files. However the skill hardcodes a specific user workspace path (/home/ky11rie/.openclaw/workspace) and expects/executes another skill's script (spotify_surface) in that path — that is unusual and not justified in the manifest. The manifest lists exec and filesystem read/write permissions which are consistent, but cross-skill execution is a design choice that should be explicit.
!
Instruction Scope
SKILL.md and orchestrator.py instruct the agent to: run yt-dlp (python -m yt_dlp) to download media into the workspace, call a spotify_surface script via subprocess for Spotify requests, and call an 'openclaw message send' CLI to deliver files. These instructions read/write workspace files and execute other skill scripts. The SKILL.md explicitly mentions 'Zero-Auth scraping' for Spotify metadata — that implies scraping behavior that may access external endpoints and bypass official APIs. The script does not attempt to read arbitrary host files, but executing another skill's script and writing persistent JSON contracts in workspace increases scope beyond a simple downloader.
Install Mechanism
This is instruction-plus-code with no install spec. The script assumes availability of python3, yt-dlp (python module), and possibly ffmpeg/ffprobe; none are declared for installation. Not providing an install mechanism is lower risk for arbitrary network fetches, but it also makes runtime failures likely or hides implicit dependency requirements. No external downloads are executed by the skill itself, which reduces immediate install risk.
!
Credentials
The manifest declares exec and filesystem permissions but no environment variables or credentials. The script executes another skill (spotify_surface.py) that may rely on credentials or perform scraping, yet those requirements are not declared. The lack of declared dependencies/credentials while executing cross-skill code is disproportionate: the orchestrator can trigger code that might access secrets or external services without making those needs explicit.
Persistence & Privilege
always:false (no forced global inclusion). The skill writes/downloads into the workspace and persists Spotify JSON contracts there; that is expected for its purpose. It does not modify other skills' configuration or request permanent presence. The main privilege concern is the ability to execute other skill scripts in the shared workspace, which can increase blast radius but is not itself set as a persistent or always-enabled capability.
What to consider before installing
Key things to consider before installing: - The skill will execute yt-dlp (python -m yt_dlp) and optionally ffmpeg; these dependencies are not declared or installed by the skill. Ensure your environment has safe, vetted versions of yt-dlp and ffmpeg, and consider running in a sandbox. - The orchestrator hardcodes /home/ky11rie/.openclaw/workspace and calls another skill's script at workspace/skills/spotify-surface/scripts/spotify_surface.py. That means it expects and will execute code from other skills in the shared workspace — review spotify_surface.py (and any other referenced scripts) before enabling this skill. - The SKILL.md mentions 'Zero-Auth scraping' for Spotify metadata. Scraping can bypass APIs and may fetch data from third-party sites; check spotify_surface.py for network endpoints, credential usage, and compliance with service terms. - The script invokes the host CLI 'openclaw message send' to deliver files. Confirm that the message tool behaves as you expect and that the skill cannot send arbitrary filesystem files beyond its intended downloads. - Because the skill has exec + filesystem permissions and runs subprocesses, prefer installing only if you trust the source or after auditing the included scripts (spotify_surface and any invoked binaries). If you cannot review them, run the skill in an isolated environment with restricted filesystem/network access. - If you want to proceed but reduce risk: require the skill to declare/install yt-dlp/ffmpeg, remove hardcoded user paths (use workspace variable injection), and explicitly document the spotify_surface dependency and any credentials it needs.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
latestvk9710r5pftsrv8km3xek7d9e6n80p10q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Media Orchestrator

This skill centralizes the logic for handling all media requests (audio, video, Spotify tracks) from chat platforms like WhatsApp and Telegram. It leverages yt-dlp for robust search and download capabilities from YouTube and performs Spotify metadata resolution for WebUI integration.

⚙️ How it Works

  1. Resolution: Upon receiving a media request, the orchestrator uses yt-dlp's ytsearch1: functionality to find the highest quality match from YouTube.
  2. Download: The selected media (audio or video) is downloaded directly into the OpenClaw workspace.
  3. Delivery: The downloaded file is then dispatched to the requesting chat platform (WhatsApp/Telegram) using the message tool's filePath argument, ensuring silent delivery as per protocol.
  4. Spotify Sync: For Spotify-specific requests, the orchestrator resolves track metadata via Zero-Auth scraping (bypassing direct API holds) and persists this data as a JSON contract in the workspace, enabling synchronized playback in the OpenClaw WebUI.

📂 Workspace Paths

  • Primary Workspace: /home/ky11rie/.openclaw/workspace/
    • Raw downloaded media files (.mp4, .mp3, etc.) reside here temporarily.
  • Spotify Metadata: /home/ky11rie/.openclaw/workspace/media/spotify/
    • Stores Spotify track contracts (e.g., track_id.json) generated by the spotify-surface component.
  • Skill Scripts: /home/ky11rie/.openclaw/workspace/skills/spotify-surface/scripts/
    • Contains the dedicated logic engine for Spotify integration.

🛠️ Commands

This skill acts as an underlying orchestrator, processing natural language requests. Example intents it handles:

  • send audio file song: [song name]
  • send video file mp4 480p: [video name]
  • play [spotify track or url] (leveraging spotify-surface)

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…