Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Spotify Skill
v1.1.1Control Spotify playback, search music, manage playlists, generate discovery playlists, and analyze listening habits via the Spotify Web API. Use when asked...
⭐ 0· 25·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Spotify playback, playlists, recommendations) align with the included scripts and SKILL.md. The code calls accounts.spotify.com and api.spotify.com and implements playback, search, playlists, user-data and recommendation features that match the stated capabilities.
Instruction Scope
SKILL.md instructs creating a Spotify app, placing credentials in config.json (or using env vars), running auth.py to perform OAuth, and running spotify.py commands. These instructions stay within the domain of Spotify integration. Note: the skill saves client credentials and OAuth tokens to a local config.json file and will read/override them from environment variables if present — that's expected for this workflow but is sensitive behavior the user should be aware of.
Install Mechanism
No install spec (instruction-only with included scripts). There is no download-from-URL or third-party package install step; all code is contained in the skill bundle.
Credentials
Registry metadata lists no required env vars but the SKILL.md documents optional SPOTIFY_CLIENT_ID, SPOTIFY_CLIENT_SECRET, and SPOTIFY_REDIRECT_URI overrides; the scripts use these if present and otherwise read config.json. The requested secrets are proportional to the skill's purpose, but they are sensitive (client secret, refresh/access tokens) and are stored in plaintext config.json in the skill directory.
Persistence & Privilege
always is false and the skill does not request elevated or platform-wide persistence. It only writes/reads its own config.json and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: it uses the Spotify OAuth flow and the Web API to control playback and manage playlists. Before installing: (1) understand you must create a Spotify developer app and supply the client_id and client_secret; (2) the skill saves OAuth tokens and your client credentials to a local config.json (plaintext) in the skill directory — consider using environment variables and restrict file permissions (chmod 600) or remove the file after use; (3) the OAuth scopes requested are broad (playback, modify playlists, read/save library, etc.) — grant only if you accept that access; (4) run the initial auth on a machine you control (it opens a browser and asks you to paste an authorization code), and revoke the app from your Spotify account if you later want to remove access; (5) if you are not comfortable storing client secrets or tokens locally, review or modify the scripts to change storage behavior before use.config.example.json:4
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk971mxw9xms636tbys7tm272ax84abe5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
SPOTIFY_CLIENT_IDoptional— Spotify app client ID (or set in config.json)SPOTIFY_CLIENT_SECREToptional— Spotify app client secret (or set in config.json)SPOTIFY_REDIRECT_URIoptional— OAuth redirect URI (default http://127.0.0.1:3000/callback)