ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gequhai Music

v1.0.1

搜索和下载歌曲海(gequhai.com)的音乐,支持搜索歌曲、获取下载链接(优先无损/高品质), 并可一键下载到群晖NAS。当用户询问歌曲、搜索音乐、或想下载歌曲时使用此技能。

0· 208·1 current·1 all-time
by@anlinxi

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anlinxi/gequhai-music.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Gequhai Music" (anlinxi/gequhai-music) from ClawHub.
Skill page: https://clawhub.ai/anlinxi/gequhai-music
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gequhai-music

ClawHub CLI

Package manager switcher

npx clawhub@latest install gequhai-music
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description say: search/download music and optionally push to a Synology NAS. The code implements that, but the skill does not ask for user NAS credentials yet includes hardcoded Synology host/user/password (SYNOLOGY_HOST, SYNOLOGY_USER, SYNOLOGY_PASS) in scripts/gequhai_crawler.py. A legitimate NAS-integrated skill should request or document user-provided credentials rather than ship with baked-in secrets and defaults.
!
Instruction Scope
SKILL.md and code instruct the agent to scrape gequhai.com, call its API (with required X-Custom-Header), and add downloads to a Synology DownloadStation. The instructions and code also reference specific local network addresses and concrete NAS credentials, and the service auto-registers itself to a Skill Gateway. These steps go beyond simple search/download instructions by attempting network integration with local infrastructure and by running a web service with background tasks.
Install Mechanism
There is no install spec (instruction-only), but multiple Python files and a FastAPI service are included. No external download/install URLs are used. Risk is limited to code execution when the files are run, not to arbitrary remote installers, but running the included service would install dependencies and expose an HTTP API.
!
Credentials
The skill declares no required env vars or credentials, yet the code embeds sensitive-looking constants: SYNOLOGY_HOST = '192.168.123.223', SYNOLOGY_USER = 'xiaoai', SYNOLOGY_PASS = 'Xx654321'. It also uses SKILL_GATEWAY_URL, SERVICE_PORT, SERVICE_HOST (with defaults) inside service/main.py to register itself. Requiring no credentials in metadata while containing hardcoded secrets is incoherent and dangerous.
!
Persistence & Privilege
always is false, but service/main.py will auto-register to a Skill Gateway on startup (posting base_url built from SERVICE_HOST and SERVICE_PORT) and starts a background task (background_rename_processor) that runs every 30 seconds. The skill will therefore attempt autonomous network activity and keep running periodic tasks if started — this increases blast radius when combined with hardcoded NAS access.
What to consider before installing
Do not install this skill on a machine that has access to sensitive local resources or your real NAS without first auditing and changing it. Key points to consider before using: - Hardcoded NAS credentials: scripts/gequhai_crawler.py contains SYNOLOGY_HOST, SYNOLOGY_USER, SYNOLOGY_PASS (values provided). This is a major red flag — change them to require user-supplied values or remove defaults. - Auto-registration and background tasks: service/main.py will POST to a Skill Gateway on startup and run a background rename processor every 30 seconds. This causes periodic outbound network activity and registers the service endpoint; if you don't want that, either disable startup registration or run the service in a restricted network. - The skill runs a FastAPI web service exposing /search, /detail, /download endpoints. If you run it, it will listen on a host/port and could be reachable; run in an isolated/containerized environment and restrict network access. - There is a truncated/buggy part in gequhai_crawler.py (a 'return da' appears in the provided excerpt) — the code may not be fully functional and should be reviewed/tested before use. - Legal/ethical: the skill scrapes and downloads music; consider copyright and terms of service for the target site and any files you download. Recommended actions: 1) Inspect the full code (download_song, auto_process_downloads, process_rename_queue) before running. Ensure there are no hidden exfiltration paths. 2) Remove hardcoded credentials; require the user to provide SYNOLOGY_* values via environment variables or a config file. 3) Disable automatic gateway registration (set SKILL_GATEWAY_URL to a safe value or modify startup behavior) if you don't want the skill to advertise itself. 4) Run the service in a sandbox or container with restricted outbound/inbound network rules while testing. 5) If you do not trust the author, prefer not to run the service on networks where the hardcoded credentials could access real devices. If you provide additional information (full untruncated gequhai_crawler.py and confirmation whether the included passwords are placeholders), I can raise or lower the assessment confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk970czhd31myg48dderj0jqe69832hzn
208downloads
0stars
2versions
Updated 8h ago
v1.0.1
MIT-0
@anlinxi
latest
Download

歌曲海 (Gequhai) 音乐搜索与下载技能

搜索歌曲海音乐,支持下载到群晖NAS。

功能

  1. 搜索歌曲 - 按歌名/歌手搜索
  2. 获取下载链接 - 优先无损/高品质,其次是标准品质
  3. 排行榜 - 热门榜、新歌榜、飙升榜、抖音榜等
  4. 下载到群晖 - 一键添加到群晖DownloadStation

网站信息

下载链接类型

类型说明可下载到群晖
标准品质(API)通过API获取的直接mp3链接✅ 可以
高品质(直接链接)页面上的直接mp3/flac链接✅ 可以
高品质(网盘链接)夸克网盘等分享链接❌ 需手动下载

重要: API请求需要带上 X-Custom-Header: SecretKey 才能成功!

使用方法

1. 搜索歌曲

python scripts/gequhai_crawler.py --search "青花瓷"

2. 获取歌曲详情和下载链接

python scripts/gequhai_crawler.py --detail 553

3. 搜索并下载

python scripts/gequhai_crawler.py --download "周杰伦 晴天"

4. Python脚本调用

from scripts.gequhai_crawler import search_songs, get_download_url, download_song

# 搜索歌曲
songs = search_songs("青花瓷")
for s in songs[:5]:
    print(f"[{s['id']}] {s['title']} - {s['artist']}")

# 获取下载链接
detail = get_download_url("553")
print(f"标题: {detail['title']}")
print(f"下载链接: {detail.get('url', detail.get('netdisk_url'))}")
print(f"品质: {detail.get('quality')}")

# 下载到群晖
result = download_song(detail, destination="download/音乐下载")
print(f"下载结果: {result}")

群晖下载配置

配置项
主机192.168.123.223:5000
用户xiaoai
默认下载目录download/音乐下载

交互流程示例

用户问:帮我下载周杰伦的青花瓷

  1. 搜索"青花瓷"
  2. 获取第一首歌的下载链接
  3. 如果是直接链接 → 添加到群晖下载
  4. 如果是网盘链接 → 告知用户网盘地址

用户问:最近有什么好听的歌?

  1. 获取热门歌曲列表
  2. 展示给用户选择
  3. 用户选择后下载

注意事项

  1. API验证:必须带上 X-Custom-Header: SecretKey header,否则API返回403
  2. Session:需要使用Session保持cookie,先访问播放页再请求API
  3. 下载链接类型:高品质版本通常是网盘链接,标准品质是直接mp3链接
  4. 请求频率:避免频繁请求,以免被封IP

关键代码

# API请求必须带上这个header
api_headers = {
    "X-Requested-With": "XMLHttpRequest",
    "X-Custom-Header": "SecretKey",  # 关键!
}

# 使用Session保持cookie
session = requests.Session()
# 先访问播放页面获取cookie
session.get(f"{BASE_URL}/play/{song_id}")
# 再请求API
session.post(f"{BASE_URL}/api/music", headers=api_headers, data={...})

错误处理

错误原因解决方案
未找到歌曲关键词不匹配尝试其他关键词
没有下载链接歌曲暂无资源换一首歌
网盘链接高品质版本在网盘手动下载或使用标准品质

Comments

Loading comments...