Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
LastFM to Spotify Playlists
v1.5.0Build music recommendations and create Spotify playlists using Last.fm similarity and listening history.
⭐ 0· 109·0 current·0 all-time
byStanislav Stankovic@stanestane
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Last.fm discovery + optional Spotify playlist creation) aligns with the code and SKILL.md: the code talks to Last.fm's API for recommendations and to Spotify for search/playlist creation. However the registry metadata claims no required environment variables or primary credential while the SKILL.md and code clearly use LASTFM_* and SPOTIFY_* credentials (or credential files). That metadata omission is inconsistent and worth attention.
Instruction Scope
SKILL.md explicitly instructs the agent to run local Python scripts from the skill folder and to use Last.fm/Spotify APIs. The runtime instructions and code only reference Last.fm and Spotify endpoints and credential files under ~/.openclaw; they do not request other system secrets or contact unexpected external endpoints. The skill will read credentials from env vars or ~/.openclaw/* and will save a Spotify token to ~/.openclaw/spotify-token.json — this is expected for OAuth but should be noted.
Install Mechanism
No install spec and requirements.txt indicates standard library only. This is an instruction/script-only skill with bundled Python files — no third-party installs or remote downloads are performed by the skill itself.
Credentials
The skill legitimately needs Last.fm API key/username and Spotify client id/secret/redirect URI (and will store Spotify tokens). Those credentials are proportionate to the described functionality, but the registry metadata did not declare these required env vars or a primary credential — this mismatch reduces transparency and could mislead users about what secrets they must provide. The skill also writes tokens to the user's home directory (~/.openclaw).
Persistence & Privilege
always:false (normal). The skill persists a Spotify token to ~/.openclaw/spotify-token.json and may create credential files there; that is expected for OAuth flows. It does not request elevated system privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
This appears to be a legitimate Last.fm→Spotify script set, but pay attention before running: 1) It requires Last.fm API credentials and Spotify client_id/client_secret/redirect_uri (or equivalent JSON files) even though the registry metadata omitted them — do not supply secrets unless you trust the skill. 2) The skill will save a Spotify OAuth token to ~/.openclaw/spotify-token.json; ensure that location and its permissions meet your expectations. 3) The provided pipeline excerpt appears truncated/contains an apparent typo; expect possible runtime errors — inspect pipeline.py and run in an isolated environment (or review the full code) before giving it your credentials. 4) Network activity is limited to Last.fm and Spotify APIs (no hidden endpoints detected), but if you want extra caution, run the scripts in a sandbox or create limited-scope Spotify credentials (minimal scopes) and revoke them after testing.spotify_credentials.example.json:4
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk971n3h9n0xcsn22asdtfcwf9s83qw37
License
MIT-0
Free to use, modify, and redistribute. No attribution required.