Play Local Music
PassAudited by ClawScan on May 10, 2026.
Overview
The artifacts mostly describe a local music player with no credential or exfiltration behavior shown, but the advertised wrapper is missing and it uses a localhost background server.
Before installing, verify the package source and the missing `play-music` wrapper, install pygame from a trusted source, keep `MUSIC_DIR` scoped to intended audio files, use simple filenames, and stop the local server when done.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not run as documented, and any separately obtained wrapper would be unreviewed by these artifacts.
The supplied file manifest does not include a `play-music` file, only `music-server.py` plus documentation and metadata, so the advertised executable wrapper is not available for review.
The skill has **one clear entry point**: `./play-music`
Verify that the installed package includes the expected `play-music` wrapper and inspect it before running; avoid downloading a replacement from an unknown source.
Installing pygame runs third-party package code from the configured Python package source.
The setup depends on a manual, unpinned package install. This is expected for audio playback, but it is still a supply-chain trust point.
pip install pygame
Install dependencies from a trusted package index or environment, and consider pinning a known-good pygame version.
A local caller could try to make the player load a file path outside the configured music directory, though no file upload or data exfiltration is shown.
The command-provided song name is joined to the music directory without a visible basename or path-resolution check. This is local and purpose-aligned, but path components could attempt to play files outside the intended folder.
song_name = command.get("song") ... song_path = MUSIC_DIR / song_nameUse simple filenames for playback and consider adding path normalization that rejects `..` or absolute paths.
The skill may leave a local background process active until music is stopped or the server is shut down.
The skill intentionally starts a background server for playback control. This is disclosed and fits the purpose, but users should be aware it can keep running during playback.
The server auto-starts when you play music and auto-shuts down when you stop music.
Use `stop` or `server-stop` when finished, and check the local port/process if playback control behaves unexpectedly.