desktop-music-launcher
v1.0.0检索本机已安装音乐软件,启动它,并根据用户需求推荐、搜索或播放歌曲;在 macOS 上可用 AppleScript 控制 Spotify 和 Apple Music,并为 Spotify 增加可选的精确点播链路。
⭐ 0· 204·0 current·0 all-time
byvx:17605205782@52yuanchangxing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included scripts and resources: the package discovers installed music apps, opens them, searches, recommends, and on macOS uses AppleScript to control Spotify/Apple Music. The optional Spotify Web API token feature (to perform precise track search + play) is a coherent enhancement for the stated capability.
Instruction Scope
Runtime instructions confine actions to local discovery (PATH and common install locations), opening apps/URIs, passing explicit files/URLs to players, and calling osascript on macOS. The script can also make network requests to Spotify Web API if a token is supplied. It uses subprocess/launch for starting apps (Windows branch may use shell=True for some command forms), so verify any command inputs come from local resources or user input rather than untrusted sources.
Install Mechanism
No installer is used (instruction-only with bundled Python scripts). Nothing is downloaded or executed from remote URLs during install; risk from installation mechanism is low.
Credentials
The skill declares no required environment variables in metadata, but the README and code support an optional SPOTIFY_ACCESS_TOKEN (and a --spotify-token flag) to enable Spotify Web API calls. This optional credential is proportional to the enhanced Spotify feature, but it is not listed in metadata — a minor documentation/metadata mismatch. No other unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent system modifications. It can be invoked autonomously by the agent (platform default) and can open apps / run AppleScript when invoked; that is expected for this functionality. macOS control requires that the host app has Accessibility/Automation permissions, which the skill notes.
Assessment
This skill appears to do what it says: discover installed players, open/search/play, and on macOS control apps via AppleScript. Points to consider before installing:
- Optional Spotify token: If you provide SPOTIFY_ACCESS_TOKEN (or pass --spotify-token), the skill will make network calls to Spotify's Web API. If you are cautious about credentials, prefer passing a token only for a single command (via flag) rather than exporting it globally.
- macOS automation: To enable control features the host app must be granted Accessibility and Automation permissions. Granting those permissions is powerful — review whether you want the host app to have them.
- Local actions and subprocesses: The script launches local programs and uses subprocess calls (on Windows some command forms use shell=True). This is expected but means the skill can open arbitrary files/URIs you ask it to; avoid giving it untrusted file paths or URLs.
- Inspect & test locally: If unsure, run the provided smoke_check.py and the 'scan' and 'search' commands locally to see JSON outputs before allowing autonomous use. Review the resources/music_apps.json to see which paths/commands it will probe on your system.
Overall: the implementation is coherent with its purpose. If you plan to use Spotify precise-play, only supply tokens you trust and prefer ephemeral/command-scoped use.Like a lobster shell, security has layers — review code before you run it.
latestvk97326e9nsve6w77qhf1gfb2k582rfvq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
OSWindows · macOS · Linux
Any binpython3, python