ncm-cli setup
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: ncm-cli-setup Version: 1.0.1 The skill bundle automates the installation of ncm-cli and mpv using high-privilege system operations. The script 'scripts/install_mpv.py' utilizes 'sudo' and 'shell=True' to interface with various system package managers (e.g., apt, brew, winget), which are high-risk behaviors even if aligned with the stated purpose. Additionally, 'SKILL.md' directs the agent to handle sensitive user credentials (API keys) and perform global npm installations, which are considered risky capabilities in an automated agent context.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A global npm install can add executable code to the user's environment.
The skill asks the user to install a global npm package without a pinned version. This is central to the setup purpose, but users should verify the package identity and trust the upstream source.
npm install -g @music163/ncm-cli
Verify that @music163/ncm-cli is the intended official package before installing, and prefer trusted package sources.
Running the helper may install system packages and request elevated privileges.
The helper script runs shell package-manager commands, including sudo on Linux. The commands are fixed and purpose-aligned with installing mpv, but they modify the system.
run("sudo apt-get update -q && sudo apt-get install -y mpv")Run the installer only when you want mpv installed, and review any sudo/package-manager prompts before approving them.
Your ncm-cli configuration may store API credentials and login state for the music service.
The skill instructs users to configure an API appId/privateKey and log in. This is expected for ncm-cli, but it involves account credentials even though the registry metadata lists no primary credential.
ncm-cli config set appId <你的AppId> ncm-cli config set privateKey <你的PrivateKey> ... ncm-cli login --background
Use credentials intended for ncm-cli, avoid sharing the privateKey, and understand where ncm-cli stores its configuration.