Sonos Music Search
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims—search Brave for Spotify tracks and play them on Sonos—but it needs a Brave API key, npm dependencies, network access, and can start playback on a local speaker.
Before installing, make sure you trust the publisher/source, are comfortable installing the Node dependencies, and understand that searches go to Brave while the play command can start audio on a named Sonos speaker. Use a dedicated Brave API key and be deliberate about speaker names and queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Brave Search API key will be used for searches made through the skill.
The skill uses a Brave API key from the environment and sends it to Brave's search API. This is expected for the stated search feature, but it is still a sensitive credential and may consume API quota.
const BRAVE_SEARCH_BASE = 'https://api.search.brave.com/res/v1/web/search'; ... headers: { 'X-Subscription-Token': braveApiKey, Accept: 'application/json' }Use a dedicated Brave API key if possible, monitor quota usage, and avoid exposing the key in shared shells or logs.
If invoked with the wrong speaker or query, the skill could play the wrong track or unexpectedly start audio on a Sonos device.
The skill selects the first Brave result and starts playback on the named Sonos speaker. This is the intended function, but it is a user-visible device action.
const firstResult = results[0]; ... await speaker.play(spotifyUri);
Use explicit speaker names and queries, and consider confirming before issuing `play` commands in sensitive or shared environments.
Installing the skill will install and run third-party Node packages.
The skill depends on third-party npm packages for HTTP requests and Sonos control. This is normal for the purpose, but it means installation depends on the npm supply chain.
"dependencies": {"node-fetch": "^2.7.0", "sonos": "^1.14.0"}Install only from a trusted publisher/source and review dependency changes when updating.