Is mixx85/spotify-claw safe?

https://github.com/openclaw/skills/tree/main/skills/mixx85/spotify-claw

91
SAFE

This is a comprehensive Spotify control skill that provides extensive music management functionality through legitimate Spotify Web API integration. While it contains strong execution directives and auto-launches applications, the code appears genuine and properly implemented.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (4)

MEDIUM Mandatory command execution directive -20

The skill contains a strong directive 'ALWAYS run python3 ~/.openclaw/scripts/spotify.py [cmd] — never respond with text only' which could override user preferences for text-only responses in some scenarios.

LOW Accesses Spotify API credentials -5

The skill reads Spotify client ID and secret from macOS Keychain, which is legitimate for its stated functionality but involves credential access.

LOW Executable Python script -10

The skill contains a comprehensive Python script that will be executed to control Spotify functionality, including system calls to launch applications.

LOW Auto-launches external application -5

The skill automatically launches the Spotify application when it's not running, which some users might find intrusive.