ClawHub

Spotify

v1.0.0

Control Spotify playback on any Linux device via command line, requiring Spotify Premium and an active Spotify session on another device.

1· 1.8k·0 current·1 all-time
byshawn pana@shawnpana
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a CLI that installs a 'spotify' script to /usr/local/bin and requires Spotify developer credentials, which is consistent with a Spotify playback controller. However the skill bundle contains no script or code file, and the registry metadata lists no required credentials or config paths. Asking users to copy an executable that isn't included is an incoherence and reduces trust.
Instruction Scope
Runtime instructions stay within the expected scope for a Spotify CLI (install spotipy, create Spotify Developer App, store client id/secret in ~/.config/spotify-cli/config, authenticate via redirect URL). They ask the user/agent to read/write files under the user's home directory and to paste an OAuth redirect URL — all reasonable for this purpose. The docs also instruct using sudo to install a binary into /usr/local/bin, which is normal for a CLI but requires elevated privilege.
Install Mechanism
There is no install spec in the skill bundle (instruction-only), which is low-risk. The instructions call for pip3 install spotipy (standard PyPI). The oddity is the manual step to copy a 'spotify' executable — but that executable is not provided in the package, so the instructions assume an external artifact or missing code.
Credentials
The skill does not declare any required environment variables in metadata, yet the instructions require creating a config file containing SPOTIPY_CLIENT_ID and SPOTIPY_CLIENT_SECRET (sensitive secrets). That is proportionate to the stated functionality, but the metadata should declare credential requirements and the handling/storage of secrets should be explicit.
Persistence & Privilege
No elevated privileges are requested by the skill metadata (always: false). The only privileged action in the instructions is using sudo to copy an executable into /usr/local/bin, which is a typical CLI install step but requires care. The skill does not request permanent agent-wide presence or modify other skills' configs.
What to consider before installing
This skill appears to be a set of installation/runtime instructions for a Spotify CLI, but the package does not include the actual 'spotify' executable the instructions tell you to copy into /usr/local/bin. Before installing or running anything: 1) Ask the publisher for the source code or a trusted download link for the 'spotify' script; do not run sudo cp on an unknown file. 2) Treat SPOTIPY_CLIENT_SECRET as sensitive — prefer a secure storage mechanism and avoid pasting it into public places. 3) Confirm the redirect URI and OAuth flow before pasting redirect URLs into prompts. 4) If you don't trust the publisher, implement the CLI yourself (or use an official client) rather than copying third-party binaries. If the publisher provides the missing script and updates the metadata to declare credential requirements, re-evaluate; currently the missing executable and undocumented credential requirements make this package suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739nc9ak6hz3netbhasbhs098013yg
1.8kdownloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
shawn pana@shawnpana
latest
Download

Spotify CLI

A simple command-line interface for controlling Spotify playback from a Raspberry Pi (or any Linux system).

Requirements

  • Python 3
  • Spotify Premium account
  • spotipy Python library
  • Spotify app open on another device (phone, computer, or web player)

Installation

1. Install dependencies

pip3 install spotipy --break-system-packages

2. Create a Spotify Developer App

  1. Go to https://developer.spotify.com/dashboard
  2. Log in and click "Create App"
  3. Set Redirect URI to http://127.0.0.1:8888/callback
  4. Copy the Client ID and Client Secret

3. Create config file

mkdir -p ~/.config/spotify-cli
cat << EOF > ~/.config/spotify-cli/config
SPOTIPY_CLIENT_ID=your_client_id
SPOTIPY_CLIENT_SECRET=your_client_secret
SPOTIPY_REDIRECT_URI=http://127.0.0.1:8888/callback
EOF

The script automatically loads credentials from ~/.config/spotify-cli/config.

4. Install the script

sudo cp spotify /usr/local/bin/spotify
sudo chmod +x /usr/local/bin/spotify

5. Authenticate

Run any command (e.g., spotify status). On first run, you'll get a URL to open in your browser. After authorizing, copy the redirect URL (even if the page doesn't load) and paste it when prompted.

Commands

CommandDescription
spotify search <query>Search for songs (shows top 5 results)
spotify play <song>Search and play a song
spotify pausePause playback
spotify resumeResume playback
spotify nextSkip to next track
spotify prevPrevious track
spotify statusShow currently playing track
spotify devicesList available Spotify devices

Examples

# Search for a song
spotify search "stairway to heaven"

# Play a song (tip: include artist for better results)
spotify play "stairway to heaven led zeppelin"

# Check what's playing
spotify status

# Control playback
spotify pause
spotify resume
spotify next

Best Practices (for AI agents)

When using this tool on behalf of a user:

  1. Always search first before playing. Use spotify search "query" to see results.
  2. Verify the match - confirm with the user that the search results match what they were looking for.
  3. Then play - once confirmed, use spotify play "exact song name artist" with the correct title/artist from the search results.

This avoids playing the wrong song due to Spotify's fuzzy search matching.

Example workflow:

# User asks: "play voice actor u projected 2"

# Step 1: Search first
spotify search "voice actor u projected 2"
# Results show: "U Projected 2 - Voice Actor, Yarrow.co"

# Step 2: Confirm with user that this is the right song

# Step 3: Play with exact match
spotify play "U Projected 2 Voice Actor"

Notes

  • This CLI controls playback on an existing Spotify session. You need Spotify open on another device (phone, computer, or https://open.spotify.com).
  • The CLI sends commands to that device - audio plays there, not on the Pi.
  • Requires Spotify Premium for playback control.

Troubleshooting

"No active device found"

Open Spotify on your phone/computer and play something, then try again.

"No devices found"

Make sure Spotify is open on at least one device and logged into the same account.

Auth token expired

Delete ~/.cache-* files and re-authenticate.

Comments

Loading comments...