Query Last.fm listening data, show now playing, sync scrobble history to local DB, and deploy a personal "now playing" web dashboard. Use when user asks about current music, listening stats, scrobble history, or wants to set up a Last.fm dashboard.
Security Analysis
high confidenceThe package claims to be a Last.fm dashboard but the repository bundles unrelated tools and scripts (Find My, Hammerspoon, brain-sync, auto-updater), contains code that expects undeclared secrets (LASTFM_API_KEY, ENSUE_API_KEY) and even exposes sensitive credentials in docs — the pieces are inconsistent and warrant caution before installing or running.
The skill's name/description describe a Last.fm dashboard (sync scrobbles, now-playing UI). However the workspace includes many unrelated skills and scripts (findmy-location, brain-sync, Hammerspoon helpers, auto-updater, ClawdHub CLI, etc.). The Last.fm skill's own docs reference required environment variables (LASTFM_API_KEY, LASTFM_USERNAME) and deployment artifacts (k8s manifests), but the registry metadata declares no required env vars — a clear mismatch. Several files (brain-sync docs, ensue integration) and tools included are unrelated to a simple dashboard and give this package a much broader footprint than the name suggests.
Runtime instructions and scripts do more than query Last.fm: brain-sync.sh reads/writes a user's Obsidian vault, copies local memory files, and talks to an 'Ensue' API; ensue-api.sh reads an ENSUE_API_KEY from env or macOS Keychain; findmy-location automates the macOS Find My app (including taking screenshots) using peekaboo and Hammerspoon; Hammerspoon config starts an HTTP server on localhost:9090 to accept arbitrary click/type commands. These instructions reference many system paths (~/.hammerspoon, ~/mnt/services, ~/clawd, ~/.config) and credentials outside the stated Last.fm purpose. Several instructions and scripts would read or transmit personal data (Obsidian notes, Ensue memories, screenshots) unrelated to music data.
There is no install spec (instruction-only at registry level), which limits automatic install risk. However the repository contains runnable code (lastfm_cli.py, server.py, k8s manifests, shell scripts, tests). Running or deploying these files (e.g., running server.py or applying k8s manifests) would execute code and could create network services or cron jobs. The absence of an install spec reduces supply-chain clarity: nothing is automatically vetted or sandboxed by the registry metadata.
Registry metadata lists no required env vars, but project docs and code expect several credentials: LASTFM_API_KEY and LASTFM_USERNAME for the Last.fm app, ENSUE_API_KEY (or keychain entry) for Ensue integration, and other files embed CouchDB admin credentials in docs. Scripts read from the macOS Keychain and system file paths. The number and sensitivity of needed credentials (API keys, admin DB password in docs) is disproportionate for a single-user Last.fm dashboard and is not declared in the registry metadata.
The package contains an 'auto-updater' skill and instructions for cron jobs (daily auto-update), brain-sync.sh that is intended to run periodically, and documentation about scheduling and gateway cron integration. While the skill metadata does not set always:true, the included artifacts and docs instruct creating recurring jobs and services (Hammerspoon HTTP server, a web server, Kubernetes deployment) that give the repository persistent, long-lived presence on a system and potential access to local data. This combination (background sync scripts + local HTTP control endpoints + instructions to auto-update) increases risk if you run the code without isolating it.
Guidance
Do not run or deploy this package blindly. Specific things to check before installing: - The registry metadata declares no required env vars, but the docs/code require LASTFM_API_KEY and LASTFM_USERNAME — ensure you supply only the minimal Last.fm credentials (and preferably create a scoped API key) and never reuse high-privilege secrets. - The repository bundles unrelated tooling (Find My automation, Hammerspoon HTTP API, brain-sync that touches your Obsidian vault, an auto-updater, and k8s manifests). If you only want the Last.fm dashboard, extract and audit only the `skills/whatisxlistening-to/` files rather than installing the whole workspace. - The docs include hardcoded infrastructure credentials (CouchDB admin user/password in brain-sync docs). Treat this as a secret leak: don't run any scripts that reference those endpoints until you confirm they are dummy/test values. Remove or rotate any leaked credentials you control. - Inspect server.py and lastfm_cli.py for outbound network calls and data handling (where data is sent, whether it logs or posts to external endpoints). Prefer running the server inside an isolated container or VM and bind it to localhost only. - Hammerspoon and findmy-location code can take screenshots and control the UI (click/type). Only run those on machines where you understand and accept that level of access; they require Accessibility and Screen Recording permissions on macOS. - Avoid enabling any auto-update/cron automation until you review the auto-updater logic; auto-updaters increase risk if the update source or update process is not strictly controlled. If you want help: I can (1) list the exact files that reference sensitive credentials, (2) summarize server.py's network behavior, or (3) produce a minimal checklist/command list to safely run the Last.fm parts inside a container.
Latest Release
v1.3.0
fix: track info z-index above ejected vinyl disc
More by @poiley
Published by @poiley on ClawHub
