Spotify History
v1.1.0Access Spotify listening history, top artists/tracks, and get personalized recommendations via the Spotify Web API. Use when fetching a user's recent plays, analyzing music taste, or generating recommendations. Requires one-time OAuth setup.
⭐ 4· 2.6k·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, and the Python scripts all legitimately implement Spotify API access (recent plays, top artists/tracks, recommendations). Requiring OAuth client id/secret and storing tokens in ~/.config/spotify-clawd is consistent with the stated purpose.
Instruction Scope
SKILL.md and setup.sh present two credential storage options (credentials/spotify.json or env vars) and say the credential file is checked first, but neither spotify-auth.py nor spotify-api.py read credentials/spotify.json — they only read SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET from environment variables. setup.sh writes credentials/spotify.json but does not export the credentials into environment variables before launching spotify-auth.py. That mismatch will cause the auth step to fail unless the user manually sets env vars. The instructions therefore promise behavior (file-based credentials being used automatically) that the code does not perform.
Install Mechanism
No install spec and no third-party downloads; the skill is instruction+scripts only. Nothing is being fetched from untrusted URLs or installed system-wide by the skill files themselves.
Credentials
The only sensitive secrets involved are the Spotify Client ID and Client Secret — appropriate and proportionate for a Spotify integration. However, the registry metadata lists no required env vars while the code expects SPOTIFY_CLIENT_ID/SPOTIFY_CLIENT_SECRET; this inconsistency should be clarified. Tokens are stored locally at ~/.config/spotify-clawd/token.json (expected) and credentials/spotify.json is written in the workspace by the setup script (user-visible, with chmod 600 in script).
Persistence & Privilege
always:false and standard agent invocation. The skill writes a token file to the user's home config directory and may write a workspace credentials file — reasonable for an OAuth client. The skill does not request elevated privileges or modify other skills/configs.
What to consider before installing
This skill appears to be a genuine Spotify OAuth client, not malware, but the provided setup is inconsistent and likely to fail if run as-is. Before running anything: 1) Inspect scripts locally (you already have them). 2) Do not paste client secrets into untrusted places; prefer env vars over leaving secrets in project files. 3) To make setup work, either export SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET in your shell before running the auth script, or modify spotify-auth.py/spotify-api.py to load credentials/spotify.json (the setup script writes that file but the Python code currently doesn't read it). 4) Note token storage path: ~/.config/spotify-clawd/token.json — delete it if you want to revoke local access. 5) If you don't want to modify files, run the auth script manually after exporting env vars rather than relying on setup.sh. Because of the mismatch between the README/SKILL.md and the actual code, treat this skill as untrusted until you correct or confirm the credential flow.Like a lobster shell, security has layers — review code before you run it.
latestvk978fcqjpjzzvpsarc3d3xkg5h7zt07g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.