Spotplay

Search and play Spotify tracks via Spotify.app using AppleScript on macOS, ensuring playback on the active device with detailed status updates.

This skill will: (a) call Spotify's Web API using a client ID/secret, (b) read SPOTIFY_CLIENT_ID / SPOTIFY_CLIENT_SECRET environment variables or the file ~/.shpotify.cfg, and (c) run osascript to command Spotify.app. Those behaviors are consistent with implementing search + play, but the registry/README failed to disclose the credential and config-file requirement. Before installing or running: 1) only provide dedicated Spotify developer credentials (create an app you can revoke), do not reuse high-value secrets; 2) inspect or remove ~/.shpotify.cfg if you don't want it read; 3) prefer setting env vars only for the process (not globally) or run the skill in a controlled environment; 4) review the Python script yourself — it contacts official Spotify endpoints and uses osascript, which is expected; 5) if you need stronger assurance, ask the publisher to update SKILL.md/metadata to declare the credential and config-file requirements and to explain how credentials are used and stored. If you do not trust the unknown source, do not supply credentials or run the skill on sensitive machines.

Type: OpenClaw Skill Name: spotplay Version: 0.1.0 The skill's `SKILL.md` provides clear, benign instructions for the AI agent, without any prompt injection attempts. The `spotplay.py` script's functionality aligns with its stated purpose: playing Spotify tracks via AppleScript on macOS. It accesses Spotify API credentials from environment variables or `~/.shpotify.cfg` and communicates only with legitimate Spotify API endpoints. While `subprocess.run(shell=True)` is used, the dynamic parts of the commands passed to `osascript` are properly sanitized with `shlex.quote`, mitigating direct shell injection risks. There is no evidence of data exfiltration, unauthorized remote control, persistence, or other malicious behavior.