Play Local Music
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: play-music Version: 0.1.0 The skill bundle is designed for local music playback and exhibits no malicious intent. All file operations (reading music files from `MUSIC_DIR`, writing a lock file to `/tmp/music_player.lock`) and network communications (localhost-only on port 12346) are confined to the stated purpose. The `SKILL.md` and other documentation files contain no prompt injection attempts or instructions for unauthorized actions. While the `music-server.py` sets `0o666` permissions on its lock file, this is a minor security hygiene issue for a temporary file containing only a port number, not indicative of malicious behavior or a significant vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not run as documented, and any separately obtained wrapper would be unreviewed by these artifacts.
The supplied file manifest does not include a `play-music` file, only `music-server.py` plus documentation and metadata, so the advertised executable wrapper is not available for review.
The skill has **one clear entry point**: `./play-music`
Verify that the installed package includes the expected `play-music` wrapper and inspect it before running; avoid downloading a replacement from an unknown source.
Installing pygame runs third-party package code from the configured Python package source.
The setup depends on a manual, unpinned package install. This is expected for audio playback, but it is still a supply-chain trust point.
pip install pygame
Install dependencies from a trusted package index or environment, and consider pinning a known-good pygame version.
A local caller could try to make the player load a file path outside the configured music directory, though no file upload or data exfiltration is shown.
The command-provided song name is joined to the music directory without a visible basename or path-resolution check. This is local and purpose-aligned, but path components could attempt to play files outside the intended folder.
song_name = command.get("song") ... song_path = MUSIC_DIR / song_nameUse simple filenames for playback and consider adding path normalization that rejects `..` or absolute paths.
The skill may leave a local background process active until music is stopped or the server is shut down.
The skill intentionally starts a background server for playback control. This is disclosed and fits the purpose, but users should be aware it can keep running during playback.
The server auto-starts when you play music and auto-shuts down when you stop music.
Use `stop` or `server-stop` when finished, and check the local port/process if playback control behaves unexpectedly.