Save To Spotify
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: save-to-spotify Version: 0.1.1 The skill bundle facilitates complex audio production and Spotify integration but employs high-risk patterns, most notably a 'curl | bash' installation script in SKILL.md and references/cli-usage.md. While the domain saveto.spotify.com suggests an official source, this method is a significant supply chain risk. Additionally, the skill requires broad shell execution privileges and manages multiple sensitive API keys (OpenAI, ElevenLabs, Spotify) across several reference files, which could be leveraged if the agent is compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill’s CLI means running code downloaded from the network on the user’s machine.
The skill relies on a remote installer for the required CLI rather than including reviewed code in the artifact set.
curl -fsSL https://saveto.spotify.com/install.sh | bash
Only install after confirming the source is trusted; prefer pinning the documented version and reviewing the installer or GitHub release when possible.
The CLI can act on the user’s Spotify account for this workflow, including saving content and managing shows or episodes.
The skill needs delegated Spotify account access and stores an OAuth token locally for later CLI/API use.
This opens the browser, the user approves, and a token is saved to `~/.config/save-to-spotify/token.json`.
Authenticate only with the intended Spotify account, review requested OAuth permissions, and revoke the token if you stop using the skill.
If used carelessly, the agent could remove saved Spotify content such as episodes or an entire show.
The documented CLI can delete Spotify shows and episodes; this is disclosed and related to show management, but it is a high-impact operation.
save-to-spotify --json shows delete <show_id> ... # Delete an episode save-to-spotify --json episodes delete <episode_id>
Require an explicit user confirmation with the exact show or episode ID before any delete or delete-and-recreate workflow.
Private or sensitive source text could be shared with a third-party voice or image-generation provider if the user chooses a cloud provider.
Generated scripts or source-derived text may be sent to the user-selected TTS provider to create narration.
The user picks their own TTS engine and voice ... OpenAI TTS ... ElevenLabs ... Google Cloud TTS ... Amazon Polly
Use local/offline providers for sensitive material, and check the privacy terms of any cloud TTS or image provider before sending content.