音乐发现应用
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: music-discovery-app Version: 1.0.0 The music-discovery-app is a well-documented and professionally structured skill bundle for a music search and radio application. The backend (backend/app/main.py) uses FastAPI with Pydantic for strict input validation and slowapi for rate limiting, while the frontend (frontend/src/app/page.tsx) is a standard Next.js application. The bundle integrates several legitimate public APIs (iTunes, MusicBrainz, Radio Browser) and includes comprehensive security warnings and best practices in SKILL.md. No evidence of data exfiltration, malicious execution, or prompt injection was found; the code logic is entirely consistent with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run on an untrusted network, other devices may be able to reach the backend service.
The documented backend run command exposes the development server on all network interfaces rather than only localhost.
python -m uvicorn app.main:app --reload --host 0.0.0.0 --port 8000
For local-only use, bind to `127.0.0.1` or use firewall rules; only bind to `0.0.0.0` when intentional.
If a user enables this mode in production, TLS/client-certificate protections could be weakened.
The HTTPS configuration includes an environment-controlled option to disable certificate requirements.
if ssl_config["ssl_cert_reqs"] == "none":
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONEDo not set `SSL_CERT_REQS=none` for production; use valid certificates and normal verification settings.
Installing dependencies runs code from third-party packages on the user’s machine.
The skill relies on installing Python and Node dependencies from package managers, which is normal for this app type but still a supply-chain surface.
pip install -r requirements.txt ... npm install
Install only from a trusted copy of the project, review lockfiles, and run dependency audit tools before deployment.
Music searches, artist names, song titles, and radio queries may be visible to the external API providers used by the app.
User search terms and related music queries are sent to external music providers as part of the advertised app functionality.
response = await client.get(ITUNES_SEARCH_URL, params=params)
Avoid entering sensitive personal information as search terms and review each provider’s privacy practices if needed.