Is ledzgio/spoticlaw safe?

https://github.com/openclaw/skills/tree/main/skills/ledzgio/spoticlaw

90
SAFE

Spoticlaw is a well-structured Spotify Web API client with clean code and no prompt injection, malware, or exfiltration behavior. The primary risks are privacy-related: the skill grants the agent access to the user's Spotify email, long-term listening history, and personalization data, and it can modify playlists and the user's library on their behalf. All network activity during install and operation is scoped to GitHub and legitimate Spotify endpoints, canary files were untouched, and no malicious code patterns were identified.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (8)

LOW Agent environment variables read at import time -7

spoticlaw.py calls os.getenv() for SPOTIFY_CLIENT_ID, SPOTIFY_CLIENT_SECRET, SPOTIFY_REDIRECT_URI, and SPOTIFY_CACHE_PATH at module load time. If the agent's environment contains additional secrets with unexpected names, they are not consumed — but the skill has full read access to the environment namespace shared with the agent process.

LOW Personal data (email, listening history) exposed to agent context -12

The user().me() method returns the Spotify user's email address and country. The personalisation and player.get_recently_played() endpoints return behavioral listening data. An agent with this skill active could leak these to a conversational transcript or model context.

LOW auth.py opens local HTTP server and browser -7

The authentication helper binds a local HTTPServer to port 8888 and calls webbrowser.open() on the user's machine. This is standard OAuth code-flow behavior but represents code that launches a server process and opens a browser tab.

LOW OAuth token written to and read from local cache file -5

The skill persists the Spotify OAuth access_token and refresh_token to .spotify_cache. Any other process with filesystem access to the skill directory can read these tokens. Token auto-refresh also sends client credentials to accounts.spotify.com.

LOW Overly broad OAuth scope requested -5

auth.py requests user-follow-read even though no follow/unfollow write primitives are exposed by the skill. This is a minor scope over-request that grants the agent read access to followed artists beyond the documented feature set.

INFO Install clones from GitHub monorepo via HTTPS 0

Installation performs a sparse git clone of the openclaw/skills monorepo, checks out only the spoticlaw subdirectory, and cleans up. All network activity is to 140.82.121.3:443 (GitHub). No side effects outside the skill directory.

INFO All canary files intact 0

Honeypot files (.env, id_rsa, AWS credentials, npmrc, docker config, GCP credentials) were not modified or exfiltrated. File accesses visible in monitoring logs are from the audit framework's own canary setup and verification, with timestamps predating skill installation.

INFO SKILL.md is clean API documentation 0

The SKILL.md contains only Spotify API usage examples, parameter documentation, and error handling guidance. No adversarial instruction patterns, hidden content, or manipulation techniques detected.