ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cmus Music Player

v1.0.1

AI skill to launch cmus in a Xubuntu terminal and enforce playback rules (single track vs shuffle folder). Robust against high latency and headless daemon en...

0· 106·0 current·0 all-time
by@nhathuynguyen19
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (launch cmus, control playback modes) aligns with required binaries (cmus, cmus-remote, xfce4-terminal, pgrep) and the described workflow. Requiring X-terminal and cmus tools is proportional to the stated goal.
!
Instruction Scope
The SKILL.md instructs the agent to export DISPLAY, XAUTHORITY, and DBUS_SESSION_BUS_ADDRESS to access a desktop session — reasonable for launching a GUI but sensitive. Critically, it mandates resolving <path_to_file> via `TARGET_FILE=$(eval echo "<path_to_file>")`, which enables shell metacharacter expansion and command substitution and therefore creates a command-injection/vector for arbitrary code execution if the input is attacker-controlled or malformed. The instructions also reference and add an agent workspace path ($HOME/.openclaw/workspace/music/), which is plausible but should be explicit about expected contents. Polling for the cmus socket and launching the UI are expected behavior.
Install Mechanism
This is an instruction-only skill with no install spec in the registry entry; risk is low because nothing will be written or executed on install. The SKILL.md metadata suggests an apt install hint for cmus, which is reasonable and low-risk.
Credentials
The skill does not request credentials or external tokens, which is appropriate. However, it instructs the agent to set XAUTHORITY and DBUS_SESSION_BUS_ADDRESS and to rely on $HOME and the user's session bus — these are sensitive environment items because XAUTHORITY grants GUI access and the session DBus can expose user-level IPC. Using them may be necessary to control a GUI music client, but the skill should not encourage blind copying/setting of these values without clear justification or safeguards.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or modify other skills. It does not store tokens or request elevated system-wide privileges.
What to consider before installing
This skill appears to do what it says (control cmus), but the runtime instructions include risky practices. Most importantly, replace `eval echo "<path_to_file>"` with a safe resolution method (e.g., realpath, readlink -f, or robust shell-safe expansion with strict quoting) to avoid command injection. Be cautious that the skill exports XAUTHORITY and DBUS_SESSION_BUS_ADDRESS — these give the process GUI/session access; only allow that if you trust the skill and run it under your user account (not root). Verify the skill's provenance (registry owner vs _meta.json owner/version mismatch) before granting it access to your desktop environment. If you don't trust it, run it in a sandboxed account or refuse installation. If you choose to use it, test with non-sensitive files and sanitize any user-supplied paths.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎹 Clawdis
Binscmus, cmus-remote, xfce4-terminal, pgrep
latestvk9797b1s878f46c3fa0bbem16583n90d
106downloads
0stars
2versions
Updated 3w ago
v1.0.1
MIT-0
@nhathuynguyen19
latest
Download

cmus (OpenClaw Playback Controller)

Workflow: Receive file path from yt-dlp -> Launch cmus UI (if not running) -> Wait for socket -> Apply user's specific playback rules -> Play.

Find the active daemon & Launch UI

When OpenClaw runs in the background, it lacks X11/Wayland display variables. The agent MUST inject the environment variables and dynamically poll for the cmus socket instead of using hardcoded sleep.

Execute this precise bash block to ensure the terminal opens and the socket is ready: export DISPLAY=${DISPLAY:-:0.0} export XAUTHORITY=${XAUTHORITY:-$HOME/.Xauthority} export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u)/bus"

if ! pgrep -x cmus > /dev/null; then xfce4-terminal -e cmus & for i in {1..20}; do cmus-remote -C "status" >/dev/null 2>&1 && break sleep 0.5 done fi

Playback Rule Engine

The agent must parse the user's prompt to determine the playback mode. CRITICAL: The agent MUST resolve <path_to_file> using eval echo to ensure absolute pathing before passing to cmus-remote.

Mode A: Play track and shuffle the rest (Default)

Trigger Intent: "Play this track", "Open song...", "Play and shuffle". Execute this bash block: TARGET_FILE=$(eval echo "<path_to_file>") cmus-remote -C "clear" cmus-remote -C "add $HOME/.openclaw/workspace/music/" cmus-remote -C "set continue=true" cmus-remote -C "set shuffle=true" cmus-remote -f "$TARGET_FILE"

Mode B: Play ONLY the requested track

Trigger Intent: "Play only this track", "Do not shuffle", "Single track mode". Execute this bash block: TARGET_FILE=$(eval echo "<path_to_file>") cmus-remote -C "clear" cmus-remote -C "add $TARGET_FILE" cmus-remote -C "set continue=false" cmus-remote -C "set repeat=false" cmus-remote -p

Comments

Loading comments...