← Back to Skills Marketplace

Spotplay

Name: Spotplay
Author: uxbryan

by uxbryan · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

562

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install spotplay

Description

Search and play Spotify tracks via Spotify.app using AppleScript on macOS, ensuring playback on the active device with detailed status updates.

Usage Guidance

This skill will: (a) call Spotify's Web API using a client ID/secret, (b) read SPOTIFY_CLIENT_ID / SPOTIFY_CLIENT_SECRET environment variables or the file ~/.shpotify.cfg, and (c) run osascript to command Spotify.app. Those behaviors are consistent with implementing search + play, but the registry/README failed to disclose the credential and config-file requirement. Before installing or running: 1) only provide dedicated Spotify developer credentials (create an app you can revoke), do not reuse high-value secrets; 2) inspect or remove ~/.shpotify.cfg if you don't want it read; 3) prefer setting env vars only for the process (not globally) or run the skill in a controlled environment; 4) review the Python script yourself — it contacts official Spotify endpoints and uses osascript, which is expected; 5) if you need stronger assurance, ask the publisher to update SKILL.md/metadata to declare the credential and config-file requirements and to explain how credentials are used and stored. If you do not trust the unknown source, do not supply credentials or run the skill on sensitive machines.

Capability Analysis

Type: OpenClaw Skill Name: spotplay Version: 0.1.0 The skill's `SKILL.md` provides clear, benign instructions for the AI agent, without any prompt injection attempts. The `spotplay.py` script's functionality aligns with its stated purpose: playing Spotify tracks via AppleScript on macOS. It accesses Spotify API credentials from environment variables or `~/.shpotify.cfg` and communicates only with legitimate Spotify API endpoints. While `subprocess.run(shell=True)` is used, the dynamic parts of the commands passed to `osascript` are properly sanitized with `shlex.quote`, mitigating direct shell injection risks. There is no evidence of data exfiltration, unauthorized remote control, persistence, or other malicious behavior.

Capability Assessment

⚠ Purpose & Capability

The name/description claim to control Spotify.app via AppleScript and search tracks — the code does exactly that. However the code also requires Spotify API client credentials (SPOTIFY_CLIENT_ID / SPOTIFY_CLIENT_SECRET or ~/.shpotify.cfg) to call the Web API; the registry metadata and SKILL.md did not declare this requirement. Requiring developer credentials is plausible for searching the Web API, but it should be declared to the user.

ℹ Instruction Scope

SKILL.md describes activating Spotify.app and playing a found track, which matches the implementation. It does not mention reading environment variables or the config file (~/.shpotify.cfg) nor that it will call spotify.com endpoints — the code does both. The runtime behavior (network calls to Spotify and running osascript) is within the skill's purpose, but the omission in the prose grants the agent access to credential data without explicitly documenting it.

✓ Install Mechanism

There is no install spec (instruction-only + a single Python script). Nothing is downloaded from external arbitrary URLs and no new packages are installed by the registry metadata. Risk from installation mechanism is low.

⚠ Credentials

The code requires SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET or a local config file (~/.shpotify.cfg) containing CLIENT_ID/CLIENT_SECRET. The metadata incorrectly lists no required env vars/config paths. The type of credentials requested is proportional to using the Spotify Web API, but requesting them without declaring that to the user is a material omission and increases risk (credential exposure if the file is present or env vars are set).

✓ Persistence & Privilege

always:false and no changes to other skills or system-wide configurations. The skill runs locally and does not request permanent global presence or elevated system privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install spotplay
After installation, invoke the skill by name or use /spotplay
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

spotplay 0.1.0 初始版本 - 使用 Spotify.app 及 AppleScript 播放 Spotify 歌曲，不依賴 spogo 或 Web Player。 - 根據使用者輸入關鍵字自動搜尋並播放歌曲。 - 播放後回報目前播放曲名、歌手與 URI，方便 debug。 - 若 Spotify.app 未啟動會自動啟動，搜尋不到歌曲時給予明確提示。 - 僅適用於 macOS，須安裝 Spotify.app。

Metadata

Slug spotplay

Version 0.1.0

License —

All-time Installs 2

Active Installs 2

Total Versions 1

Frequently Asked Questions

What is Spotplay?

Search and play Spotify tracks via Spotify.app using AppleScript on macOS, ensuring playback on the active device with detailed status updates. It is an AI Agent Skill for Claude Code / OpenClaw, with 562 downloads so far.

How do I install Spotplay?

Run "/install spotplay" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Spotplay free?

Yes, Spotplay is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Spotplay support?

Spotplay is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Spotplay?

It is built and maintained by uxbryan (@uxbryan); the current version is v0.1.0.

More Skills