Control Spotify playback on any Linux device via command line, requiring Spotify Premium and an active Spotify session on another device.
Security Analysis
medium confidenceThe skill's instructions describe a Spotify CLI and request local credentials, but the package is instruction-only and omits the actual executable and metadata about required credentials — the pieces don't fully line up.
The SKILL.md describes a CLI that installs a 'spotify' script to /usr/local/bin and requires Spotify developer credentials, which is consistent with a Spotify playback controller. However the skill bundle contains no script or code file, and the registry metadata lists no required credentials or config paths. Asking users to copy an executable that isn't included is an incoherence and reduces trust.
Runtime instructions stay within the expected scope for a Spotify CLI (install spotipy, create Spotify Developer App, store client id/secret in ~/.config/spotify-cli/config, authenticate via redirect URL). They ask the user/agent to read/write files under the user's home directory and to paste an OAuth redirect URL — all reasonable for this purpose. The docs also instruct using sudo to install a binary into /usr/local/bin, which is normal for a CLI but requires elevated privilege.
There is no install spec in the skill bundle (instruction-only), which is low-risk. The instructions call for pip3 install spotipy (standard PyPI). The oddity is the manual step to copy a 'spotify' executable — but that executable is not provided in the package, so the instructions assume an external artifact or missing code.
The skill does not declare any required environment variables in metadata, yet the instructions require creating a config file containing SPOTIPY_CLIENT_ID and SPOTIPY_CLIENT_SECRET (sensitive secrets). That is proportionate to the stated functionality, but the metadata should declare credential requirements and the handling/storage of secrets should be explicit.
No elevated privileges are requested by the skill metadata (always: false). The only privileged action in the instructions is using sudo to copy an executable into /usr/local/bin, which is a typical CLI install step but requires care. The skill does not request permanent agent-wide presence or modify other skills' configs.
Guidance
This skill appears to be a set of installation/runtime instructions for a Spotify CLI, but the package does not include the actual 'spotify' executable the instructions tell you to copy into /usr/local/bin. Before installing or running anything: 1) Ask the publisher for the source code or a trusted download link for the 'spotify' script; do not run sudo cp on an unknown file. 2) Treat SPOTIPY_CLIENT_SECRET as sensitive — prefer a secure storage mechanism and avoid pasting it into public places. 3) Confirm the redirect URI and OAuth flow before pasting redirect URLs into prompts. 4) If you don't trust the publisher, implement the CLI yourself (or use an official client) rather than copying third-party binaries. If the publisher provides the missing script and updates the metadata to declare credential requirements, re-evaluate; currently the missing executable and undocumented credential requirements make this package suspicious.
Latest Release
v1.0.0
- Initial release of Spotify CLI for controlling Spotify playback from the command line. - Supports commands to search, play, pause, resume, skip tracks, show status, and list devices. - Requires a Spotify Premium account and credentials setup via a config file. - Detailed installation and authentication steps provided. - Includes AI agent best practices section to ensure accurate song selection using search and user confirmation before playback. - Troubleshooting guide added for common issues like missing devices or expired tokens.
More by @ShawnPana
Published by @ShawnPana on ClawHub
