ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Music Player for Windows

v1.1.0

Provides music search, high-quality download, ID3 metadata embedding, and local playback on Windows using multiple music API sources.

0· 90·3 current·3 all-time
by@freebook8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (music search, download, metadata, playback on Windows) align with the included Python scripts (search/download variants, metadata embedding, play_music). Network access to music APIs (netease / go-music-api / UOMG) is required and present, which is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs only expected actions (install Python libs, run the provided scripts). It does not attempt to read unrelated system files or request secrets. Minor scope oddities: it recommends installing 'python-pptx' although no code references python-pptx; PUBLISH_GUIDE documents running 'clawhub login' (user-supplied credentials) but does not perform automatic login. Default download path uses an Administrator workspace path which is an implementation choice but not a secret access attempt.
Install Mechanism
There is no install script that downloads arbitrary executables or archives; the package is delivered as source Python scripts and documentation. Dependencies are normal Python packages (requests, mutagen). No remote install URLs, URL shorteners, or extract steps were observed.
Credentials
The skill declares no required environment variables or credentials. The code also does not access environment variables or other credentials. It performs network calls to public music APIs, which is proportionate to the functionality. Note: reliance on third‑party API endpoints (e.g., music-api.caorushizi.cn, api.uomg.com) means requests will go to external servers — expected but worth verifying their trustworthiness.
Persistence & Privilege
always:false and no install-time changes to other skills or system-wide settings. The skill writes downloaded MP3 files to a local workspace path (expected for a downloader) and does not persist elevated privileges or alter other skills' configs.
Assessment
This skill appears to do what it claims: search music via public APIs, download MP3s, embed ID3 tags, and open them in the default player. Before installing or running it: 1) Review and, if possible, run the scripts in an isolated environment (VM) because they download content from external servers. 2) Confirm the third‑party API endpoints used (music-api.caorushizi.cn, api.uomg.com) are trustworthy for your use; these are required for functionality and will receive requests and potentially logs. 3) Be aware of copyright/legal issues when downloading music — the code does not enforce licensing. 4) The docs mention installing python-pptx though it is unused in the code; you can omit that dependency. 5) The PUBLISH_GUIDE suggests 'clawhub login' — never paste credentials into unfamiliar services; only authenticate to platforms you trust. If you need higher assurance, request the author's source repository or run a security review in a sandbox before giving this skill network or file-system access.

Like a lobster shell, security has layers — review code before you run it.

downloadvk973w93gew3hjq9xbhc29wdfq183h8z8latestvk973w93gew3hjq9xbhc29wdfq183h8z8musicvk973w93gew3hjq9xbhc29wdfq183h8z8playervk973w93gew3hjq9xbhc29wdfq183h8z8windowsvk973w93gew3hjq9xbhc29wdfq183h8z8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments