DJ mp3 sourcer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly clear about downloading music, but its rename script can move files outside the intended folder if track metadata contains path-like text.
Install only if you are comfortable using yt-dlp/spotdl-style download tools and you have rights to the music. Before using the included rename script, review or modify it so track names are sanitized and cannot create paths outside your chosen download folder.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or malicious tracklist could cause downloaded MP3s to be moved outside the chosen folder or renamed incorrectly.
The script constructs the output path directly from tracklist fields and then renames files to that path. If artist/title values contain slashes, '..', or other path-like characters, the destination may escape the intended directory or fail unexpectedly.
TARGET="${ARTIST} - ${TITLE}.mp3"
...
mv "$MATCH" "$DIR/$TARGET"Sanitize artist and title before using them as filenames, reject path separators and '..', use fixed-string matching where possible, verify the resolved destination stays inside the output directory, and consider a dry-run/confirmation step before renaming.
Installing current package-manager versions means the behavior depends on external packages outside this skill’s reviewed files.
The skill relies on third-party command-line tools installed from package managers without pinned versions. This is expected for a downloader skill, but users should understand the provenance risk.
pip install yt-dlp spotdl brew install ffmpeg # optional pip install bandcamp-dl
Declare these dependencies in metadata or an install spec, pin known-good versions where practical, and install only from trusted package sources.
A large or messy batch could create many simultaneous downloads or renames, making mistakes harder to notice.
Parallel sub-agent processing is disclosed and purpose-aligned for batch downloads, but it can amplify mistakes such as wrong matches, excessive downloads, or repeated file operations.
When given multiple links, process in parallel using sub-agents (`sessions_spawn`). Report results as each track completes.
Use concurrency limits, keep each track’s output isolated, and ask the user before processing large batches.