ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spotify Safe Play

vv0.1.0

Safer Spotify playback for OpenClaw on setups where direct spogo play is unreliable.

0· 113·0 current·0 all-time
by@surdragon-design

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for surdragon-design/spotify-safe-play.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Spotify Safe Play" (surdragon-design/spotify-safe-play) from ClawHub.
Skill page: https://clawhub.ai/surdragon-design/spotify-safe-play
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install spotify-safe-play

ClawHub CLI

Package manager switcher

npx clawhub@latest install spotify-safe-play
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (workaround for unreliable 'spogo play') matches the declared dependency on spogo. However, the SKILL.md repeatedly refers to a 'Wrapper script: ./bin/spotify-safe-play' and 'Files included with this skill', yet the registry shows only SKILL.md present and no bin/spotify-safe-play script. That mismatch (claiming included executable files that are absent) is incoherent.
!
Instruction Scope
Instructions tell the agent to run a local wrapper script (or a user-installed spotify-safe-play in PATH) that expands Spotify pages (using curl/grep/awk) and queues URIs via spogo. The actions themselves are within the stated purpose, but the SKILL.md requires Bash, curl, grep, awk while the registry metadata only declared spogo as a required binary—another mismatch. Because the wrapper script is not present, it's unclear what exact commands would be executed, which raises risk and ambiguity.
Install Mechanism
There is no install spec (instruction-only skill), so nothing will be written to disk by the package installer. That is the lower-risk installation pattern. However, the absence of the promised wrapper script means the skill either expects the user to install it separately or the skill is incomplete; this is a functional/integrity issue rather than an installation risk in itself.
Credentials
The skill does not request environment variables or credentials. Its stated external requirements (Spotify Premium, spogo authenticated, a Spotify Connect target) are appropriate and proportional to the playback use case.
Persistence & Privilege
The skill is not marked always:true and does not request special agent-wide persistence. Model invocation is allowed (platform default), which is expected for an invocable playback skill.
What to consider before installing
This skill claims to include a wrapper script (./bin/spotify-safe-play) but the package only contains SKILL.md. Before installing or using it, ask the publisher for the missing script or clear install instructions. If you plan to run a wrapper you obtain from the repo, inspect its contents (don't run unknown binaries/scripts unreviewed). Also verify you have spogo installed and authenticated and that bash/curl/grep/awk are available, since SKILL.md relies on them even though they aren't declared in the registry metadata. If you don't trust the source, prefer a sandboxed environment or decline the skill. If you want to proceed, request the author to publish a complete package (or provide the wrapper in PATH) and to reconcile the declared required binaries with the instructions.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Any binspogo
latestvk970qa29fgzgs98jb13gxa8at9838614openclawvk970qa29fgzgs98jb13gxa8at9838614spogovk970qa29fgzgs98jb13gxa8at9838614spotifyvk970qa29fgzgs98jb13gxa8at9838614wsl2vk970qa29fgzgs98jb13gxa8at9838614
113downloads
0stars
1versions
Updated 1mo ago
vv0.1.0
MIT-0
@surdragon-design
latestopenclawspogospotifywsl2
Download

Spotify Safe Play

Use this skill when the user wants to play Spotify tracks, albums, or playlists and the machine is known to have unreliable direct spogo play behavior.

Files included with this skill

  • Wrapper script: ./bin/spotify-safe-play

Preferred commands

  • Search track: spogo search track "query"
  • Search album: spogo search album "query"
  • Search playlist: spogo search playlist "query"
  • Safe playback: ./skills/spotify-safe-play/bin/spotify-safe-play <spotify-uri-or-url-or-id> [--device "..."]
  • Pause / resume / next / previous: spogo pause, spogo play, spogo next, spogo prev
  • Devices: spogo device list, spogo device set "<name|id>"
  • Status: spogo status

Playback rules

  • For tracks, the wrapper safely queues the requested track and skips to it.
  • For albums and playlists, the wrapper expands the public Spotify page into track URIs, queues them in normal order, skips once into the first track, then exits immediately.
  • After the first target track starts, do not send extra next, play, or verification loops.
  • Avoid direct spogo play <track> on affected machines because it may resume the current context instead of switching to the requested content.
  • If the user has separately installed spotify-safe-play into PATH, spotify-safe-play <item> ... is also acceptable.

Requirements

  • Spotify Premium
  • spogo installed and authenticated
  • Bash, curl, grep, and awk
  • An active Spotify Connect target such as Spotify Web Player or the desktop app

Comments

Loading comments...