Back to skill
Skillv1.0.0
ClawScan security
Lu Music Player · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 5:10 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with a Mopidy/NAS management helper, but it contains author-specific hardcoded addresses, Docker assumptions, and a risky troubleshooting suggestion (chmod 777) you should review before using.
- Guidance
- This skill appears to be a simple Mopidy/NAS helper and is internally consistent, but it's tailored to the author's environment. Before using: (1) Don't blindly run commands — verify container names and paths on your system. (2) Replace or remove hardcoded URLs/IPs and set MOPIDY_URL/MOPIDY_IRIS_URL to your values. (3) Avoid 'chmod -R 777' — prefer correcting ownership/permissions with least privilege. (4) Be cautious about running docker exec/docker-compose restart on production machines. If you want the skill generalized, ask the author to remove hardcoded addresses and avoid recommending globally permissive file permissions.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the instructions: SKILL.md gives Mopidy status, playback control, volume, scanning, and playlist guidance. However the doc contains hardcoded host addresses (192.168.3.26 and music.jesson.online), a specific local path (/vol1/1000/...), and assumes a Docker container named 'mopidy' — these are environment-specific and not generally applicable.
- Instruction Scope
- noteInstructions stay within the Mopidy management scope (checking logs, docker commands, restarting, scanning). They include troubleshooting steps that require shell access (docker exec, docker-compose restart, docker logs) and suggest 'chmod -R 777' for a music folder — a potentially dangerous, overly-permissive operation. The skill also references external URLs (an IP and a domain) and shows example commands; no hidden data-exfiltration steps are present.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes installation risk because nothing is written/executed automatically by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. The SKILL.md suggests optional MOPIDY_URL and MOPIDY_IRIS_URL variables for convenience, which is proportionate. No unrelated credentials or secrets are requested.
- Persistence & Privilege
- okalways is false (no forced/global presence) and model invocation is normal. The skill doesn't request persistent system changes or attempt to modify other skills; it only provides manual commands for the user/administrator to run.