Sonoscli
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for controlling Sonos speakers, with ordinary caution needed for an external CLI install, speaker state changes, and optional Spotify credentials.
This appears safe to install if you trust the upstream Sonos CLI. Review the external Go package source or pin a version if needed, and use the skill deliberately because it can change speaker playback, volume, groups, and queues.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong speaker or without confirming the action, it could interrupt playback, change volume, alter groups, or clear a speaker queue.
The skill documents state-changing Sonos commands. This is expected for a Sonos control skill, but users should notice that invoking it can change playback, volume, grouping, or the current queue.
`sonos play|pause|stop --name "Kitchen"`; `sonos volume set 15 --name "Kitchen"`; `sonos queue list|play|clear`
Confirm the target speaker and action before using state-changing commands, especially volume, grouping, party mode, and queue clear.
A future upstream change could affect what gets installed, even though the skill instructions themselves are minimal.
The skill installs an external CLI from a Go module using the moving @latest version. This is disclosed and aligned with the purpose, but it means the installed code may change over time.
go | module: github.com/steipete/sonoscli/cmd/sonos@latest | creates binaries: sonos
If you need reproducibility, install or pin a specific trusted version of the Sonos CLI and review the upstream project before installation.
If configured, the CLI may use the provided Spotify client credentials for search-related requests.
The skill discloses optional use of Spotify API credentials for Spotify search. This is purpose-aligned, but it is credential-based access that users should intentionally configure.
Spotify Web API search is optional and requires `SPOTIFY_CLIENT_ID/SECRET`.
Use dedicated, least-privilege Spotify API credentials for this purpose and avoid sharing broader account secrets.