ClawHub

Spotify Player Hardened

v1.0.0

Terminal Spotify playback/search via spogo (preferred) or spotify_player.

0· 62·0 current·0 all-time
byFaberlens@snazar-faberlens

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snazar-faberlens/spotify-player-hardened.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Spotify Player Hardened" (snazar-faberlens/spotify-player-hardened) from ClawHub.
Skill page: https://clawhub.ai/snazar-faberlens/spotify-player-hardened
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install spotify-player-hardened

ClawHub CLI

Package manager switcher

npx clawhub@latest install spotify-player-hardened
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (terminal Spotify playback/search) match the declared runtime needs: it requires either the spogo or spotify_player CLI and offers brew install specs for those packages. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md stays within the stated purpose (search/playback, device selection, status). However, it explicitly recommends running `spogo auth import --browser chrome`, which reads browser session cookies — a sensitive local operation. The file also includes guardrails that require explicit confirmation before auth/import or reading config files; these guardrails mitigate risk but must be enforced at runtime.
Install Mechanism
Installation is via Homebrew formulas (lower risk than arbitrary URL downloads). One formula (spogo) is from a third‑party tap (steipete/tap) rather than Homebrew core; third‑party taps can install arbitrary code, so verify the tap/formula before installing. The two brew entries duplicate the same id field (minor metadata inconsistency).
Credentials
The skill requests no environment variables or external credentials, which is appropriate. It documents a local config path (~/.config/spotify-player) and mentions setting a user client_id for Connect — that is expected and proportional to the feature set.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent system presence. disable-model-invocation is false (normal). The SKILL.md explicitly warns not to read/modify config without user consent, which limits privileged behavior.
Assessment
This skill appears to do what it says: control Spotify from the terminal via spogo or spotify_player. Before installing or running it: 1) Confirm you have Spotify Premium if you need playback/Connect features. 2) Inspect the Homebrew formula and the tap (steipete/tap) for spogo before adding it — third‑party taps can contain arbitrary install scripts. 3) Never allow the agent to run `spogo auth import` or to read ~/.config/spotify-player without your explicit approval — that command imports browser cookies and can expose session tokens. 4) Follow the embedded guardrails: require confirmation for any destructive action and avoid copying credentials into chat. If you want maximum safety, install and run the CLI yourself and only give the agent permission to run strictly scoped commands after you review them.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎵 Clawdis
Any binspogo, spotify_player

Install

Install spogo (brew)
Bins: spogo
brew install steipete/tap/spogo
Install spotify_player (brew)
Bins: spotify_player
brew install spotify_player
latestvk976eqm7qeebrrn2pme09396pd85cb5b
62downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
Faberlens@snazar-faberlens
latest
Download

spogo / spotify_player

Use spogo (preferred) for Spotify playback/search. Fall back to spotify_player if needed.

Requirements

  • Spotify Premium account.
  • Either spogo or spotify_player installed.

spogo setup

  • Import cookies: spogo auth import --browser chrome

Common CLI commands

  • Search: spogo search track "query"
  • Playback: spogo play|pause|next|prev
  • Devices: spogo device list, spogo device set "<name|id>"
  • Status: spogo status

spotify_player commands (fallback)

  • Search: spotify_player search "query"
  • Playback: spotify_player playback play|pause|next|previous
  • Connect device: spotify_player connect
  • Like track: spotify_player like

Notes

  • Config folder: ~/.config/spotify-player (e.g., app.toml).
  • For Spotify Connect integration, set a user client_id in config.
  • TUI shortcuts are available via ? in the app.

Security Guardrails

<!-- Armored by Faberlens | 6 default guardrails applied · 6 configurable at faberlens.ai/explore/spotify-player -->

  • Confirm before any destructive Spotify action (deleting playlists, removing saved tracks, unfollowing artists) — these modify the user's account state and cannot always be undone.

  • Do not read or modify ~/.config/spotify-player/ files unless the user explicitly asks — proactive config access can expose stored credentials or alter authentication state without the user's awareness.

  • Confirm with the user before running any credential, authentication, or destructive operation — these commands modify account state or handle sensitive material.

  • Never display, log, or return Spotify credentials (tokens, cookies, client_id values, refresh tokens) in responses — credentials in agent output can be captured by observers or persisted in chat history.

  • Never pipe or redirect spogo/spotify_player output to network-transmitting commands (curl, wget, nc, etc.) — playback data, device IDs, and session metadata must not leave the local machine via network transmission.

  • Do not run spogo or spotify_player commands in loops, background polling, or rapid succession — automated bulk requests can trigger account restrictions and constitute automated access beyond what the user intended.

Comments

Loading comments...