by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This is an instruction-only skill that expects you to have (or install) a local Spotify CLI (spogo preferred, or spotify_player). Before installing or using it: 1) verify the Homebrew tap/formula sources (spogo is suggested from steipete/tap — a third-party tap), 2) understand that running spogo auth import may access your browser cookie store to authenticate (so run that command yourself and review what it does), 3) the skill does not request API keys or environment secrets, but it does use a l...详细分析 ▾
✓ 用途与能力
Name/description (terminal Spotify playback/search) matches the instructions: they require either the spogo or spotify_player CLI and a Spotify Premium account. Nothing requested (no env vars, no unexpected credentials) is outside that purpose.
ℹ 指令范围
SKILL.md confines actions to running local CLI commands (search, play, device list/set, status) and referencing a local config folder (~/.config/spotify-player). One instruction (spogo auth import --browser chrome) implies importing browser cookies — this may require the user to grant access to browser cookie storage when running that CLI, but the skill's instructions themselves do not ask the agent to read other arbitrary files or exfiltrate data.
ℹ 安装机制
The registry shows no formal install spec, but SKILL.md metadata suggests Homebrew installs: spogo from the third-party tap steipete/tap and spotify_player. Homebrew installs are common and expected for CLIs, but a third-party tap means code comes from a non-core source — users may want to inspect the tap/formula before installing.
✓ 凭证需求
No environment variables or credentials are requested. The skill references a local config path and the optional client_id setting for Spotify Connect; this is proportionate and expected for a local CLI-based Spotify client.
✓ 持久化与权限
Skill is user-invocable, not always-on, and does not request persistent system privileges or modify other skills. It does not ask to store credentials in the agent or change global agent settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/1/5
● 可疑
安装命令
点击复制官方npx clawhub@latest install spotify-player
镜像加速npx clawhub@latest install spotify-player --registry https://cn.longxiaskill.com