Skillv1.0.0

ClawScan security

MusicRouter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 3:57 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (convert music links across platforms) and does not request unrelated credentials or install remote binaries, but it does perform network requests with user-supplied URLs and can write logs to disk so you should review and test it before running on sensitive links.
Guidance: This skill is coherent with its purpose, but exercise basic caution: (1) Review the full converter.py before running — the provided manifest snippet appears truncated near the end (an undefined variable 'r' in the truncated output suggests you should confirm the real file is complete and correct). (2) Test with non-sensitive public links first — user-provided URLs and search queries will be sent to song.link and platform search APIs. (3) Avoid enabling logging (--log) if you don't want conversion details persisted on disk. (4) Run the script in a sandboxed environment if you want to limit network or filesystem exposure. If you want, provide the complete converter.py file (not a truncated listing) and I can re-check for bugs or hidden behavior.

Review Dimensions

Purpose & Capability: okThe name/description (convert music links, fetch artwork) aligns with the included code and instructions: the script uses Odesli (song.link) for international resolutions and queries Netease/QQ endpoints for Chinese platforms. There are no unrelated environment variables, binaries, or install steps requested.
Instruction Scope: noteSKILL.md and AGENT_GUIDE instruct the agent to call the included Python script with the user-supplied link (and optionally song/artist and --log). That is scoped to the stated purpose. Important: the script issues HTTP requests to the provided URL and to third-party APIs (song.link, music.163.com, c.y.qq.com, etc.), and optional logging will write conversion details to music-router/data/converter.log. This means user-supplied links and derived metadata will be transmitted to external services and may be persisted locally when --log is used.
Install Mechanism: okNo install spec or external downloads are present; the skill is instruction-only plus an included Python script. No archive downloads or third-party installers are invoked.
Credentials: noteThe skill requests no environment variables or credentials, which is appropriate. Caveat: it transmits user-supplied URLs and derived queries to remote APIs (song.link, Netease/QQ search endpoints). If users supply private or pre-release links, those will be sent to external services. Logging (--log) will persist details to the skill's data directory.
Persistence & Privilege: okalways is false and the skill does not request elevated privileges. The only persistent effect is optional creation of music-router/data/converter.log within the skill directory when logging is enabled; no modifications to other skills or system-wide settings are indicated.