spoti-cli
spoti-cli
Prerequisites
Check auth: spoti-cli me --json. If it fails:
- Install:
bun add -g @crafter/spoti-cli - Run
spoti-cli auth— it prints the exact dashboard URL, redirect URI (http://127.0.0.1:8888/callback), and API checkbox (Web API) to use - Re-run with
spoti-cli auth --client-id <CLIENT_ID>once you have the ID
The CLI walks the user through Spotify dashboard setup. Don't repeat the steps yourself — point them at spoti-cli auth and let them paste the output.
Workflow
1. Parse Intent
Three modes:
More from crafter-station/skills
intent-layer
>
220skillkit
Local-first analytics for AI agent skills. Use when user asks about skill usage, analytics, health, context budget, cost/burn rate, trigger conflicts, dead weight analysis, or wants to clean up unused skills.
27skill-gen
Auto-generate Claude skills from documentation URLs using Firecrawl agent. Use when user wants to create a skill from docs, API references, or tool homepages. Asks up to 3 clarifying questions before deep extraction. Supports topic focus (e.g., "only auth endpoints") and outputs to local .claude/skills/ by default.
12supply-chain-audit
Read-only audit of a developer machine for npm/PyPI supply-chain compromise. Checks for known IOCs from the 2025-2026 wave — Shai-Hulud 2.0 (Nov 2025), Mini Shai-Hulud / TeamPCP (May 2026), Axios DPRK (Mar 2026), and any future campaigns added to the IOC pack. Scans persistence artifacts (LaunchAgent / systemd unit / Windows Run key / gh-token-monitor), payload files (router_init.js, setup_bun.js, bun_environment.js), compromised package versions in every node_modules under the user's project roots, C2 / typosquat domain strings (git-tanstack.com, api.masscan.cloud, sfrclak.com, getsession.org), malicious commit hashes (79ac49ee), payload SHA256s, optionalDependencies pointing at git refs, and files written during the published attack windows. Produces a PASS/FAIL verdict, IOC checklist, at-risk package list, phase summary, and 48h bake-period remediation. Use this skill whenever the user asks "am I affected by the npm attack", "scan my machine", "check if I'm infected", "is package X compromised", "audit my coworker's machine", mentions Shai-Hulud / TanStack hack / TeamPCP / Mini Shai-Hulud / pull_request_target compromise / npm worm / axios attack / Bun installer malware / TruffleHog secret theft, asks about IOCs or supply chain risk, or wants to verify a host after a security disclosure. Trigger even when the user uses informal phrasing ("estoy chiveado?", "ya me hackearon?", "this safe?"). Never modifies files.
1