Home Music
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: home-music-tc Version: 1.2.0 The skill contains a hardcoded absolute path to a specific user's home directory (/Users/asteinberger/) in home-music.sh, which is a significant portability and security concern for shared bundles. The SKILL.md file instructs users to use sudo for installation, which is a high-privilege action. While the script's use of AppleScript (osascript) to control Spotify and Airfoil is consistent with its stated purpose, these factors combined with the lack of input sanitization for potential future modifications make it suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can start music, change volume, and connect or disconnect household speakers.
The script controls Airfoil speakers and Spotify playback, including all-speaker party mode at 70% volume. This is aligned with the skill's purpose but is still a real local-device control capability.
for speaker in "${ALL_SPEAKERS[@]}"; do ... airfoil_volume "$speaker" 0.7 ... "$SPOTIFY_CMD" play "$PLAYLIST_PARTY"Install only on a Mac where you want this control, and review or customize the speaker list and playlist IDs before use.
A sudo install command can modify a protected system-wide command directory.
The documented install step asks the user to use sudo to create a global command symlink. This is user-directed and scoped, but it crosses a local privilege boundary during setup.
sudo ln -sf ~/clawd/skills/home-music/home-music.sh /usr/local/bin/home-music
Only run the sudo symlink command after reviewing the script path; alternatively, run the script directly without installing a global command.
Spotify actions depend on another local script; if that script is missing, different, or untrusted, behavior may not match this skill's visible code.
The skill invokes a separate local Spotify helper script outside the provided file contents, and the path is hardcoded to a specific user's directory. That dependency is disclosed by the skill purpose, but its code is not reviewed here.
SPOTIFY_CMD="/Users/asteinberger/clawd/skills/spotify-applescript/spotify.sh"
Verify the spotify-applescript helper before use and update the hardcoded path to your own reviewed installation.