音乐发现应用
PassAudited by ClawScan on May 10, 2026.
Overview
The provided files look like a normal music discovery web app, with routine third-party API calls and a few setup/configuration choices users should review before running.
This appears safe to review as a normal music discovery app. Before installing, make sure you trust the source, audit the Python/Node dependencies, run it bound to localhost unless network access is intended, and do not use the optional TLS setting that disables certificate requirements in production.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on an untrusted network, other devices may be able to reach the backend service.
The documented backend run command exposes the development server on all network interfaces rather than only localhost.
python -m uvicorn app.main:app --reload --host 0.0.0.0 --port 8000
For local-only use, bind to `127.0.0.1` or use firewall rules; only bind to `0.0.0.0` when intentional.
If a user enables this mode in production, TLS/client-certificate protections could be weakened.
The HTTPS configuration includes an environment-controlled option to disable certificate requirements.
if ssl_config["ssl_cert_reqs"] == "none":
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONEDo not set `SSL_CERT_REQS=none` for production; use valid certificates and normal verification settings.
Installing dependencies runs code from third-party packages on the user’s machine.
The skill relies on installing Python and Node dependencies from package managers, which is normal for this app type but still a supply-chain surface.
pip install -r requirements.txt ... npm install
Install only from a trusted copy of the project, review lockfiles, and run dependency audit tools before deployment.
Music searches, artist names, song titles, and radio queries may be visible to the external API providers used by the app.
User search terms and related music queries are sent to external music providers as part of the advertised app functionality.
response = await client.get(ITUNES_SEARCH_URL, params=params)
Avoid entering sensitive personal information as search terms and review each provider’s privacy practices if needed.