Skillv1.0.0

ClawScan security

Spotify Player · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 8:21 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper that tells the agent to use local CLI tools (spogo or spotify_player) for Spotify playback; its requirements and instructions are consistent with that purpose.
Guidance: This is an instruction-only skill that expects you to have (or install) a local Spotify CLI (spogo preferred, or spotify_player). Before installing or using it: 1) verify the Homebrew tap/formula sources (spogo is suggested from steipete/tap — a third-party tap), 2) understand that running spogo auth import may access your browser cookie store to authenticate (so run that command yourself and review what it does), 3) the skill does not request API keys or environment secrets, but it does use a local config (~/.config/spotify-player) where you may place a client_id for Spotify Connect — keep sensitive tokens out of config unless you trust the tool, and 4) if you don’t want the agent to run these CLI commands automatically, only invoke the skill manually or change invocation settings.

Review Dimensions

Purpose & Capability: okName/description (terminal Spotify playback/search) matches the instructions: they require either the spogo or spotify_player CLI and a Spotify Premium account. Nothing requested (no env vars, no unexpected credentials) is outside that purpose.
Instruction Scope: noteSKILL.md confines actions to running local CLI commands (search, play, device list/set, status) and referencing a local config folder (~/.config/spotify-player). One instruction (spogo auth import --browser chrome) implies importing browser cookies — this may require the user to grant access to browser cookie storage when running that CLI, but the skill's instructions themselves do not ask the agent to read other arbitrary files or exfiltrate data.
Install Mechanism: noteThe registry shows no formal install spec, but SKILL.md metadata suggests Homebrew installs: spogo from the third-party tap steipete/tap and spotify_player. Homebrew installs are common and expected for CLIs, but a third-party tap means code comes from a non-core source — users may want to inspect the tap/formula before installing.
Credentials: okNo environment variables or credentials are requested. The skill references a local config path and the optional client_id setting for Spotify Connect; this is proportionate and expected for a local CLI-based Spotify client.
Persistence & Privilege: okSkill is user-invocable, not always-on, and does not request persistent system privileges or modify other skills. It does not ask to store credentials in the agent or change global agent settings.