ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MusicBrainz Importer

v1.1.0

Look up and add music metadata on MusicBrainz. Use when asked to check if an artist, album, or release exists on MusicBrainz, find MusicBrainz entries linked...

0· 47·0 current·0 all-time
by@its-clawdia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (lookup + add metadata on MusicBrainz) matches the code and runtime instructions: curl/jq for API lookups, node + Playwright for browser automation, and scripts for seeding, preflight, and lookups. Required binaries (curl, jq, node) are appropriate.
Instruction Scope
Instructions are focused on MusicBrainz tasks (read/write via API and browser automation). They read/write a credentials file at ~/.openclaw/skills/musicbrainz/.credentials.json, download cover art to /tmp, generate a seed HTML in /tmp/openclaw/uploads, and call external sites (musicbrainz.org, spotify image URLs). These are expected for the stated purpose, but note that credentials are stored in plaintext and the seed HTML generation performs only minimal escaping of quotes (potentially brittle if untrusted input is used).
Install Mechanism
There is no automatic install spec in the registry, but SKILL.md instructs installing Playwright via npm (npx npm install playwright / npx playwright install chromium). Playwright will download bundled Chromium — expected for browser automation but a non-trivial download. The install sources are standard (npm / Playwright), not arbitrary remote archives.
Credentials
The skill does not request unrelated environment variables. It legitimately needs MusicBrainz credentials for write operations (username/password) and optionally uses OPENCLAW_BOT_NAME to form a User-Agent. Storing plaintext credentials in a local skill file is sensitive but proportional to the write functionality; consider file permissions and using an account with limited privileges.
Persistence & Privilege
The skill is user-invocable and not 'always'; it only stores credentials and temporary files under its own skill directory and /tmp. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with elevated privileges here.
Assessment
This skill appears to do what it says: MusicBrainz lookups and adding releases using Playwright. Before installing, consider: (1) Playwright will download Chromium (large binary) and requires Node — allow that only if you trust the source. (2) You must store your MusicBrainz username/password in ~/.openclaw/skills/musicbrainz/.credentials.json (plaintext). If you install, restrict file permissions (chmod 600) or use an account with limited rights, and remove credentials when not needed. (3) The seed HTML writer uses basic quote escaping only—avoid feeding it untrusted JSON. (4) Review and test preflight.sh locally (it attempts a curl login) so you understand what data is transmitted. If any of these are unacceptable, do not install or modify the scripts to suit your security posture.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aeygbzh8twh2ne10va5aag983wzb3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
Binscurl, jq, node

Comments