音乐发现应用

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.env_credential_access, suspicious.insecure_tls_verification

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

If run on an untrusted network, other devices may be able to reach the backend service.

Why it was flagged

The documented backend run command exposes the development server on all network interfaces rather than only localhost.

Skill content

python -m uvicorn app.main:app --reload --host 0.0.0.0 --port 8000

Recommendation

For local-only use, bind to `127.0.0.1` or use firewall rules; only bind to `0.0.0.0` when intentional.

Note

ASI02: Tool Misuse and Exploitation

What this means

If a user enables this mode in production, TLS/client-certificate protections could be weakened.

Why it was flagged

The HTTPS configuration includes an environment-controlled option to disable certificate requirements.

Skill content

if ssl_config["ssl_cert_reqs"] == "none":
                ssl_context.check_hostname = False
                ssl_context.verify_mode = ssl.CERT_NONE

Recommendation

Do not set `SSL_CERT_REQS=none` for production; use valid certificates and normal verification settings.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing dependencies runs code from third-party packages on the user’s machine.

Why it was flagged

The skill relies on installing Python and Node dependencies from package managers, which is normal for this app type but still a supply-chain surface.

Skill content

pip install -r requirements.txt
...
npm install

Recommendation

Install only from a trusted copy of the project, review lockfiles, and run dependency audit tools before deployment.

Note

ASI07: Insecure Inter-Agent Communication

What this means

Music searches, artist names, song titles, and radio queries may be visible to the external API providers used by the app.

Why it was flagged

User search terms and related music queries are sent to external music providers as part of the advertised app functionality.

Skill content

response = await client.get(ITUNES_SEARCH_URL, params=params)

Recommendation

Avoid entering sensitive personal information as search terms and review each provider’s privacy practices if needed.

Findings (2)

critical

suspicious.env_credential_access

Location: frontend/src/api/music.ts:3
Finding: Environment variable access combined with network send.

warn

suspicious.insecure_tls_verification

Location: backend/ssl_config.py:70
Finding: HTTPS certificate verification is disabled.