ncm-cli setup
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A global npm install can add executable code to the user's environment.
The skill asks the user to install a global npm package without a pinned version. This is central to the setup purpose, but users should verify the package identity and trust the upstream source.
npm install -g @music163/ncm-cli
Verify that @music163/ncm-cli is the intended official package before installing, and prefer trusted package sources.
Running the helper may install system packages and request elevated privileges.
The helper script runs shell package-manager commands, including sudo on Linux. The commands are fixed and purpose-aligned with installing mpv, but they modify the system.
run("sudo apt-get update -q && sudo apt-get install -y mpv")Run the installer only when you want mpv installed, and review any sudo/package-manager prompts before approving them.
Your ncm-cli configuration may store API credentials and login state for the music service.
The skill instructs users to configure an API appId/privateKey and log in. This is expected for ncm-cli, but it involves account credentials even though the registry metadata lists no primary credential.
ncm-cli config set appId <你的AppId> ncm-cli config set privateKey <你的PrivateKey> ... ncm-cli login --background
Use credentials intended for ncm-cli, avoid sharing the privateKey, and understand where ncm-cli stores its configuration.