ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spotify Safe Play

vv0.1.0

Safer Spotify playback for OpenClaw on setups where direct spogo play is unreliable.

0· 79·0 current·0 all-time
by@surdragon-design
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (workaround for unreliable 'spogo play') matches the declared dependency on spogo. However, the SKILL.md repeatedly refers to a 'Wrapper script: ./bin/spotify-safe-play' and 'Files included with this skill', yet the registry shows only SKILL.md present and no bin/spotify-safe-play script. That mismatch (claiming included executable files that are absent) is incoherent.
!
Instruction Scope
Instructions tell the agent to run a local wrapper script (or a user-installed spotify-safe-play in PATH) that expands Spotify pages (using curl/grep/awk) and queues URIs via spogo. The actions themselves are within the stated purpose, but the SKILL.md requires Bash, curl, grep, awk while the registry metadata only declared spogo as a required binary—another mismatch. Because the wrapper script is not present, it's unclear what exact commands would be executed, which raises risk and ambiguity.
Install Mechanism
There is no install spec (instruction-only skill), so nothing will be written to disk by the package installer. That is the lower-risk installation pattern. However, the absence of the promised wrapper script means the skill either expects the user to install it separately or the skill is incomplete; this is a functional/integrity issue rather than an installation risk in itself.
Credentials
The skill does not request environment variables or credentials. Its stated external requirements (Spotify Premium, spogo authenticated, a Spotify Connect target) are appropriate and proportional to the playback use case.
Persistence & Privilege
The skill is not marked always:true and does not request special agent-wide persistence. Model invocation is allowed (platform default), which is expected for an invocable playback skill.
What to consider before installing
This skill claims to include a wrapper script (./bin/spotify-safe-play) but the package only contains SKILL.md. Before installing or using it, ask the publisher for the missing script or clear install instructions. If you plan to run a wrapper you obtain from the repo, inspect its contents (don't run unknown binaries/scripts unreviewed). Also verify you have spogo installed and authenticated and that bash/curl/grep/awk are available, since SKILL.md relies on them even though they aren't declared in the registry metadata. If you don't trust the source, prefer a sandboxed environment or decline the skill. If you want to proceed, request the author to publish a complete package (or provide the wrapper in PATH) and to reconcile the declared required binaries with the instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk970qa29fgzgs98jb13gxa8at9838614openclawvk970qa29fgzgs98jb13gxa8at9838614spogovk970qa29fgzgs98jb13gxa8at9838614spotifyvk970qa29fgzgs98jb13gxa8at9838614wsl2vk970qa29fgzgs98jb13gxa8at9838614

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binspogo

Comments