ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ncm-cli setup

v1.0.1

安装和配置 ncm-cli(网易云音乐 CLI 工具)。当用户需要安装 ncm-cli、配置 API Key、安装 mpv 播放器,或排查安装问题时,使用此 skill。

0· 190·4 current·4 all-time
by@junfengl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (install and configure ncm-cli and mpv) matches the instructions and the included Python installer. The npm global install of @music163/ncm-cli and configuring appId/privateKey are expected for this purpose.
Instruction Scope
SKILL.md instructs the agent/user to run npm install -g, set API keys, choose a player, and run the bundled python installer. The instructions do not attempt to read unrelated system files or exfiltrate data, but they do execute system package-manager commands and call sudo when needed — so the installer will run privileged system operations to install mpv.
Install Mechanism
There is no separate install spec; this is instruction-driven with an included scripts/install_mpv.py. The script invokes platform package managers (apt, dnf, pacman, brew, winget, choco, scoop) via shell commands. That is expected for an installer but means the script will execute commands that download and install software from the system's package sources.
Credentials
The skill declares no required environment variables, credentials, or config paths. The SKILL.md asks the user to set ncm-cli appId/privateKey via ncm-cli config, which is appropriate and local to the tool.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system agent configuration. It does require elevated privileges only insofar as installing system packages (uses sudo when needed).
Assessment
This skill is coherent with its stated purpose: it will run npm to install ncm-cli and may run the bundled Python script to invoke your system package manager and install mpv (using sudo). Before running: review the install_mpv.py script (already included), be prepared to enter your password for sudo, and ensure you trust the system package repositories on your machine. The skill does not request secrets or contact unknown external endpoints, but it will perform privileged package installs — run it only on machines where you trust making system changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk970y5x90cphxb4s2hheqyk0h58384pg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments