Spotplay
v0.1.0Search and play Spotify tracks via Spotify.app using AppleScript on macOS, ensuring playback on the active device with detailed status updates.
⭐ 0· 528·2 current·2 all-time
by@uxbryan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim to control Spotify.app via AppleScript and search tracks — the code does exactly that. However the code also requires Spotify API client credentials (SPOTIFY_CLIENT_ID / SPOTIFY_CLIENT_SECRET or ~/.shpotify.cfg) to call the Web API; the registry metadata and SKILL.md did not declare this requirement. Requiring developer credentials is plausible for searching the Web API, but it should be declared to the user.
Instruction Scope
SKILL.md describes activating Spotify.app and playing a found track, which matches the implementation. It does not mention reading environment variables or the config file (~/.shpotify.cfg) nor that it will call spotify.com endpoints — the code does both. The runtime behavior (network calls to Spotify and running osascript) is within the skill's purpose, but the omission in the prose grants the agent access to credential data without explicitly documenting it.
Install Mechanism
There is no install spec (instruction-only + a single Python script). Nothing is downloaded from external arbitrary URLs and no new packages are installed by the registry metadata. Risk from installation mechanism is low.
Credentials
The code requires SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET or a local config file (~/.shpotify.cfg) containing CLIENT_ID/CLIENT_SECRET. The metadata incorrectly lists no required env vars/config paths. The type of credentials requested is proportional to using the Spotify Web API, but requesting them without declaring that to the user is a material omission and increases risk (credential exposure if the file is present or env vars are set).
Persistence & Privilege
always:false and no changes to other skills or system-wide configurations. The skill runs locally and does not request permanent global presence or elevated system privileges.
What to consider before installing
This skill will: (a) call Spotify's Web API using a client ID/secret, (b) read SPOTIFY_CLIENT_ID / SPOTIFY_CLIENT_SECRET environment variables or the file ~/.shpotify.cfg, and (c) run osascript to command Spotify.app. Those behaviors are consistent with implementing search + play, but the registry/README failed to disclose the credential and config-file requirement. Before installing or running: 1) only provide dedicated Spotify developer credentials (create an app you can revoke), do not reuse high-value secrets; 2) inspect or remove ~/.shpotify.cfg if you don't want it read; 3) prefer setting env vars only for the process (not globally) or run the skill in a controlled environment; 4) review the Python script yourself — it contacts official Spotify endpoints and uses osascript, which is expected; 5) if you need stronger assurance, ask the publisher to update SKILL.md/metadata to declare the credential and config-file requirements and to explain how credentials are used and stored. If you do not trust the unknown source, do not supply credentials or run the skill on sensitive machines.Like a lobster shell, security has layers — review code before you run it.
latestvk972dazmkhcw28fsfn9gm5q89d81811s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.