ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LastFM to Spotify Playlists

v1.5.0

Build music recommendations and create Spotify playlists using Last.fm similarity and listening history.

0· 135·0 current·0 all-time
byStanislav Stankovic@stanestane

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for stanestane/lastfm-spotify-playlists.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "LastFM to Spotify Playlists" (stanestane/lastfm-spotify-playlists) from ClawHub.
Skill page: https://clawhub.ai/stanestane/lastfm-spotify-playlists
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lastfm-spotify-playlists

ClawHub CLI

Package manager switcher

npx clawhub@latest install lastfm-spotify-playlists
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Last.fm discovery + optional Spotify playlist creation) aligns with the code and SKILL.md: the code talks to Last.fm's API for recommendations and to Spotify for search/playlist creation. However the registry metadata claims no required environment variables or primary credential while the SKILL.md and code clearly use LASTFM_* and SPOTIFY_* credentials (or credential files). That metadata omission is inconsistent and worth attention.
Instruction Scope
SKILL.md explicitly instructs the agent to run local Python scripts from the skill folder and to use Last.fm/Spotify APIs. The runtime instructions and code only reference Last.fm and Spotify endpoints and credential files under ~/.openclaw; they do not request other system secrets or contact unexpected external endpoints. The skill will read credentials from env vars or ~/.openclaw/* and will save a Spotify token to ~/.openclaw/spotify-token.json — this is expected for OAuth but should be noted.
Install Mechanism
No install spec and requirements.txt indicates standard library only. This is an instruction/script-only skill with bundled Python files — no third-party installs or remote downloads are performed by the skill itself.
!
Credentials
The skill legitimately needs Last.fm API key/username and Spotify client id/secret/redirect URI (and will store Spotify tokens). Those credentials are proportionate to the described functionality, but the registry metadata did not declare these required env vars or a primary credential — this mismatch reduces transparency and could mislead users about what secrets they must provide. The skill also writes tokens to the user's home directory (~/.openclaw).
Persistence & Privilege
always:false (normal). The skill persists a Spotify token to ~/.openclaw/spotify-token.json and may create credential files there; that is expected for OAuth flows. It does not request elevated system privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
This appears to be a legitimate Last.fm→Spotify script set, but pay attention before running: 1) It requires Last.fm API credentials and Spotify client_id/client_secret/redirect_uri (or equivalent JSON files) even though the registry metadata omitted them — do not supply secrets unless you trust the skill. 2) The skill will save a Spotify OAuth token to ~/.openclaw/spotify-token.json; ensure that location and its permissions meet your expectations. 3) The provided pipeline excerpt appears truncated/contains an apparent typo; expect possible runtime errors — inspect pipeline.py and run in an isolated environment (or review the full code) before giving it your credentials. 4) Network activity is limited to Last.fm and Spotify APIs (no hidden endpoints detected), but if you want extra caution, run the scripts in a sandbox or create limited-scope Spotify credentials (minimal scopes) and revoke them after testing.
!
spotify_credentials.example.json:4
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk971n3h9n0xcsn22asdtfcwf9s83qw37
135downloads
0stars
2versions
Updated 1mo ago
v1.5.0
MIT-0
Stanislav Stankovic@stanestane
latest
Download

Execution Model

This skill runs directly via local Python scripts.

Valid entrypoints:

  • python run_pipeline.py ...
  • python auth.py

Absolute rules

  • Do NOT use ACP
  • Do NOT request or require an agentId
  • Do NOT propose manual workflows
  • Do NOT suggest alternative scripts or paths
  • Do NOT reference any scripts/ directory
  • Do NOT use python -m module execution
  • Do NOT assume the package must be installed

All commands must be executed from the root of this skill folder.

Critical Behavior Rules

If the user asks for:

  • creating a playlist
  • adding songs to Spotify
  • saving results to Spotify

You MUST execute:

--output-mode spotify --create-playlist

Primary entrypoints:
- `python run_pipeline.py ...`
- `python auth.py ...`

This skill is intentionally organized as plain scripts plus helper modules:
- `run_pipeline.py`
- `auth.py`
- `lastfm.py`
- `spotify.py`
- `pipeline.py`
- `common.py`

No package installation is required.

# Purpose

This skill:
- uses Last.fm as the discovery engine
- expands seeds through `track.getsimilar`
- ranks merged candidates
- optionally matches results on Spotify
- optionally creates Spotify playlists

# Requirements

## Python
A normal local Python interpreter must be available.

## Last.fm credentials
Supported sources:
- environment variables:
  - `LASTFM_API_KEY`
  - `LASTFM_SHARED_SECRET`
  - `LASTFM_USERNAME`
- credentials file:
  - `~/.openclaw/lastfm-credentials.json`
- explicit file path via command flag:
  - `--creds <path>`

Example file:
```json
{
  "api_key": "YOUR_LASTFM_API_KEY",
  "shared_secret": "YOUR_LASTFM_SHARED_SECRET",
  "username": "YOUR_LASTFM_USERNAME"
}

Spotify credentials

Needed only for Spotify matching or playlist creation.

Supported sources:

  • environment variables:
    • SPOTIFY_CLIENT_ID
    • SPOTIFY_CLIENT_SECRET
    • SPOTIFY_REDIRECT_URI
  • credentials file:
    • ~/.openclaw/spotify-credentials.json
  • explicit file path via command flag:
    • --spotify-creds <path>

Saved token location:

  • ~/.openclaw/spotify-token.json
  • or explicit path via --spotify-token <path>

Command Selection

1. Recommend from recent Last.fm listening

Use when the request is based on a user's recent scrobbles.

python run_pipeline.py recent-tracks   --user "<LASTFM_USER>"   --recent-count 10   --similar-per-seed 5   --final-limit 20   --output-mode lastfm-only

2. Recommend from a seed artist

Use when the request is based on one artist.

python run_pipeline.py artist-rule-c   "<ARTIST_NAME>"   --seed-count 5   --similar-per-seed 10   --final-limit 20   --output-mode lastfm-only

3. Recommend from top artists

Use when the request is based on a user's broader taste profile.

python run_pipeline.py top-artists-blend   --user "<LASTFM_USER>"   --period 1month   --artist-count 5   --seed-count-per-artist 3   --similar-per-seed 5   --final-limit 20   --output-mode lastfm-only

4. Match recommendations to Spotify

Use when the user wants playable Spotify results but not necessarily a playlist.

python run_pipeline.py recent-tracks   --user "<LASTFM_USER>"   --recent-count 10   --final-limit 20   --output-mode spotify

5. Create Spotify playlist

Use when the user explicitly wants a playlist created.

python run_pipeline.py recent-tracks   --user "<LASTFM_USER>"   --recent-count 10   --final-limit 20   --output-mode spotify   --create-playlist   --playlist-name "Last.fm Recommendations"

6. Run Spotify auth

Use when Spotify token setup is required.

python auth.py

Optional explicit paths:

python auth.py   --spotify-creds "<PATH_TO_SPOTIFY_CREDS_JSON>"   --spotify-token "<PATH_TO_SPOTIFY_TOKEN_JSON>"

Behavior Rules

  • Prefer Last.fm for recommendation discovery
  • Use Spotify only for:
    • search
    • playlist creation
    • playlist population
  • If the user only wants suggestions, use --output-mode lastfm-only
  • If the user wants Spotify results, use --output-mode spotify
  • If the user wants a playlist created, add --create-playlist
  • Never invent missing credentials
  • Never fall back to ACP or agent execution

Output Expectations

The scripts print JSON to stdout.

Return the JSON result directly or summarize it faithfully.

Typical fields include:

  • mode
  • user
  • seed_artist
  • seed_tracks
  • suggestions
  • matched_tracks
  • unmatched_tracks
  • playlist

Error Handling

If the script exits with an error:

  • surface stderr or the raised error message directly
  • do not retry through ACP
  • do not ask for an agentId
  • do not claim the skill is unavailable because it is not a package

Common expected failures:

  • missing Last.fm API key
  • missing Last.fm username
  • missing Spotify credentials
  • missing Spotify token
  • expired Spotify token without refresh token

Notes

This skill is intentionally script-based for reliability.

It should work as long as:

  • the skill folder is present
  • Python is present
  • credentials are configured
  • commands are executed from the skill folder root

It must not depend on package installation, editable installs, or import path manipulation.

Comments

Loading comments...