ClawHub

Sonoscli

v1.0.0

Control Sonos speakers (discover/status/play/volume/group).

47· 73.7k·2.5k current·2.6k all-time
byPeter Steinberger@steipete
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (control Sonos speakers) matches the SKILL.md instructions (invoke a local `sonos` CLI). However, the registry metadata at the top of the submission lists no required binaries or install spec, while the SKILL.md's embedded metadata declares a required 'sonos' binary and a Go install (github.com/steipete/sonoscli). That inconsistency between declared registry requirements and the runtime instructions is unexpected and should be clarified.
Instruction Scope
SKILL.md instructs only to run the `sonos` CLI against devices on the local network (discover, status, play, volume, grouping). It references SSDP and an IP override and optionally the Spotify Web API credentials for Spotify search. Instructions do not ask the agent to read unrelated files or exfiltrate data to external endpoints beyond the Sonos/Spotify flows.
Install Mechanism
The SKILL.md metadata includes an install entry that uses the Go module github.com/steipete/sonoscli/cmd/sonos@latest to produce a 'sonos' binary. Installing code from a public GitHub Go module is common but non-trivial: it requires a Go toolchain and executes remote code (moderate risk). The install source (GitHub) is reasonable, but because the registry-level spec omitted this, confirm the exact install command and inspect the upstream repo before running.
Credentials
No required environment variables are declared at the registry level, but SKILL.md notes optional SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET for Spotify searches. These optional variables are proportional to the described Spotify feature. Do not supply Spotify credentials unless you trust the upstream package.
Persistence & Privilege
The skill does not request persistent/always-on installation and uses default autonomous invocation. It does not attempt to modify other skills or system-wide config in the instructions provided.
What to consider before installing
This SKILL.md appears to wrap an existing Sonos CLI tool, which is reasonable for the stated purpose. However, the registry metadata omitted the 'sonos' binary requirement and the Go-based install that are present in SKILL.md—this mismatch could be a benign metadata oversight or a sign the package was packaged incorrectly. Before installing: (1) verify the upstream GitHub project (github.com/steipete/sonoscli) and inspect its source and recent releases, (2) confirm you are comfortable running `go install` from that module (it will compile and install remote code), (3) do not provide SPOTIFY_CLIENT_SECRET/ID unless you trust the code, and (4) consider running the install in a restricted environment (container or VM) if you want to limit risk. If the publisher cannot explain the metadata discrepancy, treat the skill cautiously or prefer an alternative with consistent metadata and a published release tarball or package.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fjvgjgf7dp5gdbkmw8m8mbn7ykcv3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔊 Clawdis
Binssonos

Install

Install sonoscli (go)
Bins: sonos
go install github.com/steipete/sonoscli/cmd/sonos@latest

Comments