伴奏提取器
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s audio-separation purpose is coherent, but it uses YouTube account cookies and enables an unpinned remote yt-dlp component source, so it should be reviewed before installation.
Only install this if you are comfortable running local media tools and giving yt-dlp access to YouTube cookies. Prefer using a separate YouTube account, pass cookies explicitly rather than relying on defaults, and review or disable the remote-components setting before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a cookies file is present, the tool may use logged-in YouTube account session data to download media. The artifacts do not show cookie exfiltration, but the access is sensitive.
The script can use a default YouTube cookies file even when the user does not pass --cookies for that run. YouTube/Google cookies are sensitive session material, and the registry metadata declares no primary credential or required config path.
default_cookies = os.path.expanduser("~/.yt-dlp/cookies.txt")
if os.path.exists(default_cookies):
cmd.extend(['--cookies', default_cookies])Declare the cookie requirement in metadata, require explicit user approval before using cookies, avoid automatic default-cookie use, and recommend a limited/separate account or deleting/revoking cookies after use.
A download operation may rely on remote components that were not packaged or reviewed with the skill, increasing supply-chain risk.
The yt-dlp command enables remote components from GitHub. This is not clearly disclosed in SKILL.md and appears unpinned, so runtime behavior may depend on remote code/components outside the reviewed artifact set.
'--remote-components', 'ejs:github',
Avoid remote runtime components by default, pin and document any required remote source, or vendor/audit the needed component as part of the skill package.
The skill will execute local media-processing and download tools, consuming CPU, disk, and network resources.
The script runs local tools such as yt-dlp, ffmpeg, and demucs. This is central to the skill’s audio-processing purpose and uses argument arrays rather than shell=True, but it is still local command execution users should expect.
subprocess.run(cmd, capture_output=True, text=True, timeout=180) ... subprocess.run(cmd, capture_output=True, text=True, timeout=600)
Run it in a controlled environment, review command arguments before use, and install dependencies from trusted sources.
Users may install the wrong dependency or misunderstand the actual model/output behavior.
README.md describes Spleeter and WAV output, while SKILL.md and the script describe Demucs and MP3 output. This inconsistency may mislead users about what will be installed and run.
基于 [spleeter](https://github.com/deezer/spleeter) 深度学习模型进行音源分离
Update documentation so README.md, SKILL.md, metadata, and the script consistently describe the same dependencies, model, and output format.