Spotplay
PassAudited by ClawScan on May 1, 2026.
Overview
Spotplay’s artifacts coherently search Spotify and control the local Spotify app, but users should notice that it uses Spotify API credentials and AppleScript.
Before installing, confirm you want an agent-invocable helper that can control Spotify.app on macOS and use Spotify API client credentials. Prefer a dedicated Spotify API credential and ensure local config files are protected.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may prefer this skill over other installed Spotify tools whenever you ask to play music.
The skill instructs the agent to always choose Spotplay for playback requests and not choose other Spotify skills. This is aligned with its purpose but broadly influences tool selection.
只要使用者的意圖是「播放/點歌/放歌/聽這首/播一首/播XXX/播放XXX」就一定要用 spotplay...也不要選它們
Install it if you want Spotplay to be the default Spotify playback helper; otherwise narrow the invocation wording or use explicit tool choices.
If present, your local Spotify API client ID and secret may be read and used to request a Spotify access token.
The script uses Spotify client credentials from environment variables or a local config file. This is expected for Spotify API search, but the registry metadata says no credentials or config paths are required.
cid = os.environ.get("SPOTIFY_CLIENT_ID") ... csec = os.environ.get("SPOTIFY_CLIENT_SECRET") ... CFG = os.path.expanduser("~/.shpotify.cfg")Use a dedicated Spotify API client credential for this skill and keep ~/.shpotify.cfg permissions restricted.
Users may install it without realizing it only works in a macOS Spotify.app environment and needs Spotify API credentials.
The metadata under-declares requirements that are visible in the artifacts, including macOS/Spotify.app usage and Spotify credentials. This affects install transparency, not runtime maliciousness.
OS restriction: none ... Required env vars: none ... Primary credential: none ... Required config paths: none
The publisher should declare macOS/Spotify.app expectations, credential variables, and the optional ~/.shpotify.cfg path in metadata.
When invoked, the skill can launch and control your local Spotify app to start playback.
The script executes osascript via the shell to control Spotify.app. This is central to the stated purpose and is not hidden, but it is still local command execution.
subprocess.run(cmd, shell=True, text=True, capture_output=True) ... osascript -e ... tell application "Spotify" to activate
Only install it on a Mac where you are comfortable allowing the agent to control Spotify.app through AppleScript.