ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

music-downloader

v1.0.1

支持从1000+音乐平台下载音频、封面、元数据及歌词,自动选择最佳音质并嵌入封面。

0· 83·0 current·0 all-time
by噢福阔斯KANG@jinkang19940922

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jinkang19940922/music-downloader-jinkang.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "music-downloader" (jinkang19940922/music-downloader-jinkang) from ClawHub.
Skill page: https://clawhub.ai/jinkang19940922/music-downloader-jinkang
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install music-downloader-jinkang

ClawHub CLI

Package manager switcher

npx clawhub@latest install music-downloader-jinkang
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and description claim a downloader that invokes a Python script, but the manifest says 'required binaries: none' while the included script clearly requires yt-dlp (invoked via subprocess) and a Python runtime. The skill also hardcodes a network proxy (http://192.168.10.222:7890) which is unrelated to the declared requirements and not documented in SKILL.md.
!
Instruction Scope
SKILL.md instructs the agent to run the provided Python script but does not disclose that the script unconditionally sets http_proxy/https_proxy for all yt-dlp subprocesses. The script also allows arbitrary output paths (and examples reference agent-local paths like /home/node/.openclaw), meaning it will create and write files anywhere the agent can access. These behaviors expand scope beyond the plain 'download audio' description and are not called out in the instructions.
Install Mechanism
There is no install spec (instruction-only), so nothing extra is written to disk by the registry. However, the bundled code depends on an external binary (yt-dlp) and network access; the manifest should declare this dependency. No remote downloads are performed by the skill itself.
!
Credentials
The skill declares no required environment variables, yet the script forcibly sets http_proxy and https_proxy to a hardcoded address (192.168.10.222:7890). This provides an undisclosed network redirection channel that could capture or alter requests/results. The default output directory (/other/music) and example paths can point into agent or system areas, allowing broad filesystem writes without explicit declaration.
Persistence & Privilege
The skill is not always-enabled and does not request special persistent privileges or modify other skills' configs. It runs only when invoked by the user/agent.
What to consider before installing
This skill appears to implement the advertised downloader but has unexpected behaviors you should consider before installing: - It calls the external tool yt-dlp but the manifest does not declare yt-dlp as a required binary; ensure yt-dlp (and a suitable Python) is installed if you plan to use it. - The script hardcodes a proxy (http://192.168.10.222:7890) and forces all subprocess network traffic through it. That proxy could observe or tamper with downloads and metadata — ask the author why this is necessary or remove/override the proxy before running. Treat this as a potential exfiltration channel until verified. - The default and example output paths include shared or agent-local locations (/other/music, /home/node/.openclaw). Consider running in a sandbox or changing the output directory to a safe, user-controlled path. - If you cannot verify the proxy and dependency intentions from the author, run the script in an isolated environment (VM or container) and inspect network traffic, or request a revised version that documents/avoids hardcoded proxies and lists required binaries. What would change the assessment: clear documentation from the author that the proxy is optional and points to a user-controlled/local proxy, or a version that removes/parametrizes the hardcoded proxy and lists yt-dlp as a required dependency would reduce the concern.

Like a lobster shell, security has layers — review code before you run it.

audiovk97eqnr41f65ec57ar25vq2a5d84rnzsdownloadvk97eqnr41f65ec57ar25vq2a5d84rnzslatestvk97eqnr41f65ec57ar25vq2a5d84rnzsmusicvk97eqnr41f65ec57ar25vq2a5d84rnzs
83downloads
0stars
2versions
Updated 2w ago
v1.0.1
MIT-0
噢福阔斯KANG@jinkang19940922
audiodownloadlatestmusic
Download

Music Downloader Skill

从各大音乐平台下载音乐歌曲,包含音频、封面、元数据、歌词。

激活条件

用户提到以下关键词时激活:

  • 下载音乐
  • 歌曲下载
  • music download
  • 放歌
  • 唱首歌
  • 点歌

或用户提供:

  • 音乐链接(YouTube、SoundCloud 等)
  • 歌名+歌手

支持平台

平台支持状态
YouTube✅ 完全支持
SoundCloud✅ 完全支持
Vimeo✅ 完全支持
网易云音乐⚠️ 需要 cookies
QQ音乐⚠️ 部分支持
Spotify⚠️ 需要 API
其他 1000+ 站点✅ via yt-dlp

功能特点

  1. 自动最优音质 - 自动选择最佳音质,自动降级直到成功
  2. 封面嵌入 - 自动抓取并嵌入封面图片
  3. 元数据 - 标题、艺术家、专辑、年份
  4. 歌词下载 - 自动下载 .lrc 歌词文件

使用方式

方式1:通过 URL 下载

下载 https://www.youtube.com/watch?v=xxx

方式2:搜索下载

下载 演员 薛之谦
下载 周杰伦 晴天
下载 歌名 歌手

方式3:指定输出目录

下载 演员 到 /other/music
下载 晴天 到 /home/node/.openclaw/other/music

输出规格

项目格式
音频MP3(自动最优)
封面嵌入封面
元数据标题、艺术家、专辑
歌词.lrc 文件
默认路径/other/music/ (公共空间)

命令行参数(可选)

-q, --quality   音质: auto(默认)/128/192/320
-f, --format   格式: mp3(默认)/flac/m4a
-o, --output   输出目录

使用示例

下载 演员 薛之谦
下载 演员 薛之谦 -q 320
下载 https://youtu.be/xxx
下载 歌名 -o /other/music

执行文件

  • Python 脚本:skills/music-downloader/music_downloader.py
  • 调用方式:直接运行 Python 脚本

注意事项

  • YouTube 搜索效果最好
  • 部分平台需要代理/梯子
  • 受限于平台 DRM,部分歌曲可能无法下载

Comments

Loading comments...