Back to skill
Skillv0.1.0
VirusTotal security
Spotplay · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 4:03 AM
- Hash
- 7f501d320c3171f46c285acbf07fa33051b83d14565f28f47508a9d33bc66107
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: spotplay Version: 0.1.0 The skill's `SKILL.md` provides clear, benign instructions for the AI agent, without any prompt injection attempts. The `spotplay.py` script's functionality aligns with its stated purpose: playing Spotify tracks via AppleScript on macOS. It accesses Spotify API credentials from environment variables or `~/.shpotify.cfg` and communicates only with legitimate Spotify API endpoints. While `subprocess.run(shell=True)` is used, the dynamic parts of the commands passed to `osascript` are properly sanitized with `shlex.quote`, mitigating direct shell injection risks. There is no evidence of data exfiltration, unauthorized remote control, persistence, or other malicious behavior.
- External report
- View on VirusTotal