Save To Spotify
PassAudited by ClawScan on May 7, 2026.
Overview
The skill is coherent for creating and saving audio to Spotify, but users should notice that it installs an external CLI, uses Spotify OAuth, and can create or delete Spotify shows and episodes.
Before installing, confirm you trust the external `save-to-spotify` CLI source, review the Spotify OAuth permissions, and ask the agent to confirm before creating, deleting, or recreating any show or episode. For sensitive content, choose a local TTS/image provider rather than sending text or prompts to cloud services.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill’s CLI means running code downloaded from the network on the user’s machine.
The skill relies on a remote installer for the required CLI rather than including reviewed code in the artifact set.
curl -fsSL https://saveto.spotify.com/install.sh | bash
Only install after confirming the source is trusted; prefer pinning the documented version and reviewing the installer or GitHub release when possible.
The CLI can act on the user’s Spotify account for this workflow, including saving content and managing shows or episodes.
The skill needs delegated Spotify account access and stores an OAuth token locally for later CLI/API use.
This opens the browser, the user approves, and a token is saved to `~/.config/save-to-spotify/token.json`.
Authenticate only with the intended Spotify account, review requested OAuth permissions, and revoke the token if you stop using the skill.
If used carelessly, the agent could remove saved Spotify content such as episodes or an entire show.
The documented CLI can delete Spotify shows and episodes; this is disclosed and related to show management, but it is a high-impact operation.
save-to-spotify --json shows delete <show_id> ... # Delete an episode save-to-spotify --json episodes delete <episode_id>
Require an explicit user confirmation with the exact show or episode ID before any delete or delete-and-recreate workflow.
Private or sensitive source text could be shared with a third-party voice or image-generation provider if the user chooses a cloud provider.
Generated scripts or source-derived text may be sent to the user-selected TTS provider to create narration.
The user picks their own TTS engine and voice ... OpenAI TTS ... ElevenLabs ... Google Cloud TTS ... Amazon Polly
Use local/offline providers for sensitive material, and check the privacy terms of any cloud TTS or image provider before sending content.