Sonos Music Search
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: sonos-music-search Version: 1.0.1 The skill is a legitimate utility for searching Spotify tracks via the Brave Search API and playing them on local Sonos speakers. The implementation in src/index.js uses standard libraries (node-fetch, sonos), properly encodes user input for API requests, and includes a discovery timeout to prevent hanging. An included audit-report.md indicates that previous reliability and security concerns (such as non-existent dependencies and unsafe search defaults) have been addressed in the current version.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Brave Search API key will be used for searches made through the skill.
The skill uses a Brave API key from the environment and sends it to Brave's search API. This is expected for the stated search feature, but it is still a sensitive credential and may consume API quota.
const BRAVE_SEARCH_BASE = 'https://api.search.brave.com/res/v1/web/search'; ... headers: { 'X-Subscription-Token': braveApiKey, Accept: 'application/json' }Use a dedicated Brave API key if possible, monitor quota usage, and avoid exposing the key in shared shells or logs.
If invoked with the wrong speaker or query, the skill could play the wrong track or unexpectedly start audio on a Sonos device.
The skill selects the first Brave result and starts playback on the named Sonos speaker. This is the intended function, but it is a user-visible device action.
const firstResult = results[0]; ... await speaker.play(spotifyUri);
Use explicit speaker names and queries, and consider confirming before issuing `play` commands in sensitive or shared environments.
Installing the skill will install and run third-party Node packages.
The skill depends on third-party npm packages for HTTP requests and Sonos control. This is normal for the purpose, but it means installation depends on the npm supply chain.
"dependencies": {"node-fetch": "^2.7.0", "sonos": "^1.14.0"}Install only from a trusted publisher/source and review dependency changes when updating.