Sonos Music Search Skill

v1.0.0

Search and play music on Sonos speakers using Brave Search to find Spotify tracks

⭐ 0· 79·0 current·0 all-time

by@terrycarter1985

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for terrycarter1985/sonos-music-search-skill.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Sonos Music Search Skill" (terrycarter1985/sonos-music-search-skill) from ClawHub.
Skill page: https://clawhub.ai/terrycarter1985/sonos-music-search-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install sonos-music-search-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install sonos-music-search-skill

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill's stated purpose (use Brave Search to find Spotify tracks and play them on Sonos) matches the code's imports ( @brave/search-api and sonos ). However the registry metadata lists no required environment variables or primary credential while both SKILL.md and src/index.js require BRAVE_API_KEY — this mismatch is incoherent and should have been declared.

ℹ

Instruction Scope

Runtime instructions are generally scoped to the declared purpose: call Brave Search, extract a Spotify track URL, discover Sonos devices on the LAN, and play a URI. The code does not attempt to read unrelated files or external secrets. Implementation issues: the module throws immediately if BRAVE_API_KEY is missing (happens at import time), only uses the first search result without fallback, and converts URLs with an unchecked string replace which can produce invalid URIs. Those are functional/robustness problems but not evidence of exfiltration.

ℹ

Install Mechanism

There is no install spec in registry metadata (instruction-only), but the package contains package.json and dependencies (@brave/search-api, sonos). Installing will pull those npm packages — a normal source for this functionality. No downloads from arbitrary URLs or archive extraction are present. The absence of an explicit install spec while code/deps exist is a mild inconsistency to be aware of.

Credentials

Only one secret is actually needed: BRAVE_API_KEY, which is appropriate for a Brave Search integration. However the registry metadata incorrectly lists no required env vars; this is an important omission. No other credentials or unrelated environment access are requested.

✓

Persistence & Privilege

The skill does not request elevated persistence (always:false), is user-invocable, and does not modify other skills or system-wide config. It performs network calls (Brave Search) and local LAN discovery of Sonos devices — expected for its purpose.

Scan Findings in Context

[API_KEY_REQUIRED_AT_IMPORT] expected: Requiring a Brave API key is expected for this skill's purpose, but the code throws at top-level when the env var is missing which makes importing the module unsafe for environments that want to inspect or test the skill without the key.

[UNVALIDATED_SPOTIFY_URL_REPLACE] unexpected: Replacing the first search result URL with a Spotify URI without validating the URL format is an implementation bug (can produce invalid URIs). It's related to the skill purpose but is a correctness/risk issue rather than expected behavior.

What to consider before installing

This skill appears to implement what it claims (Brave Search → find Spotify track → play on Sonos), but I recommend the following before installing or enabling it: 1) Do not rely on the registry metadata alone — the code requires BRAVE_API_KEY but the metadata does not declare it. Set BRAVE_API_KEY in your environment before using the skill (or the module will throw at import). 2) Inspect package.json and the two dependencies (@brave/search-api and sonos) and run `npm audit` locally; installing will fetch code from npm. 3) Be aware the skill performs web searches and will use the first search hit without robust validation — it may fail to play or produce incorrect URIs. 4) If you plan to enable autonomous invocation, remember the skill will make outbound network calls (Brave) and perform LAN discovery of Sonos devices; only grant access in environments where that is acceptable. 5) Prefer installing only if the project source and repository are trustworthy; ask the publisher to fix the metadata to declare BRAVE_API_KEY and to validate Spotify URLs and search fallbacks before you enable it.

Like a lobster shell, security has layers — review code before you run it.

latestvk973jysvwdbst82prwycawcpgd84e38r

79downloads

0stars

1versions

Updated 2w ago

v1.0.0

MIT-0

Sonos Music Search Skill

Search for and play music on your Sonos speakers directly from OpenClaw, powered by Brave Search.

Features

🔍 Uses Brave Search to find Spotify tracks across the web
🔊 Automatically plays found tracks on your specified Sonos speaker
🎵 View currently playing track information
🚀 Zero configuration required (just set your Brave API key)

Installation

clawhub install sonos-music-search

Set your Brave Search API key:

export BRAVE_API_KEY=your-api-key-here

Get your API key at: https://api.search.brave.com/

Usage

Play a track

sonos play "Living Room" "pink floyd comfortably numb"

View currently playing

sonos current "Living Room"

Requirements

Sonos speaker(s) on the same network
Brave Search API key
Node.js 18+

Changelog

1.0.0

Initial release
Brave Search integration
Basic Sonos playback control

Comments

Loading comments...