Home Music Enhanced
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: home-music-enhanced Version: 2.0.0 The skill is a legitimate automation tool for macOS designed to coordinate Spotify playback and Airfoil speaker routing via AppleScript. The code in home-music.sh uses a controlled case statement to trigger hardcoded scenes, preventing arbitrary command injection. While the documentation suggests using sudo for a global symlink and the script contains a hardcoded user path (/Users/asteinberger/), these are typical configuration patterns for local CLI tools and do not indicate malicious intent or security risks beyond standard local execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running a scene can connect or disconnect speakers and change playback volume across the home.
The script runs local AppleScript commands to control Airfoil speakers. This is expected for a macOS music-routing skill, but it does change local application and device state.
osascript -e "tell application \"Airfoil\" to connect to (first speaker whose name is \"$speaker\")" 2>/dev/null || true
Install only if you expect this local automation, and review or adjust the speaker names and volume levels before using party or whole-house scenes.
If the helper path points to an unexpected or modified script, the skill would run that local script when controlling Spotify.
The skill delegates Spotify control to a hard-coded helper script path outside this package. That helper is purpose-aligned, but its code is not included in the provided artifacts.
SPOTIFY_CMD="/Users/asteinberger/clawd/skills/spotify-applescript/spotify.sh"
Verify the spotify-applescript helper before use and change the path to a trusted local installation under your own account.
The home-music command will remain available system-wide until the symlink is removed or changed.
The installation instructions ask the user to create a persistent global command symlink in a privileged directory. This is a common CLI setup pattern and is user-directed, but it should be done knowingly.
sudo ln -sf ~/clawd/skills/home-music/home-music.sh /usr/local/bin/home-music
Only run the sudo symlink command after reviewing the script, and remove the symlink if you no longer want the command installed globally.