Skillv3.3.3

ClawScan security

QQ音乐 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 9:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package is a real Node.js QQ Music player as described, but it auto-downloads npm packages, creates background processes and (optionally) a public SSH reverse tunnel — documentation about the tunnel default is inconsistent, so treat it as high-risk and run only in isolation or use the provided secure script.
Guidance: This skill appears to do what it claims (a local Node.js QQ Music player) but contains higher-risk behaviors: it will run npm install (network download), start a background Node process, and contains code to create a public SSH reverse tunnel (serveo.net). Before using it: 1) prefer ./start-secure.sh (removes tunnel), or explicitly run ENABLE_TUNNEL=false ./start.sh; 2) run it inside a disposable Docker container or VM and do not run as root; 3) inspect player/package.json and player/server-qqmusic.js yourself (or have a trusted admin do so); 4) run ./security-scan.sh as suggested and confirm start.sh's ENABLE_TUNNEL default in your copy (docs conflict across files); 5) avoid adding cron/system-level persistent jobs unless you intentionally want a persistent network-exposed service. If you are not comfortable reviewing code or running services in isolation, do not install it.
Findings: [SSH_REVERSE_TUNNEL] expected: start.sh contains ssh -R ... serveo.net to create a public tunnel. This is consistent with the feature 'generate public access URL', but it is a high-risk network exposure and docs disagree about default enablement. [NPM_INSTALL_NETWORK_DOWNLOAD] expected: start-secure.sh and other scripts run npm install in player/ to fetch dependencies (express, axios, cors, dotenv). Expected for a Node app but downloads executable code at runtime — run in sandbox if untrusted. [BACKGROUND_PROCESS] expected: start scripts launch 'node server-qqmusic.js' in background and persist PID/log files in /tmp. Expected for a server but implies persistence and the need to manage/stop the process. [WRITE_TMP_FILES] expected: Skill writes /tmp/qq-music-radio.log and /tmp/qq-music-radio.pid and optionally /tmp/serveo.log. This is normal for logging but means local files may contain runtime info. [CRON_AUTORESTART_SUGGESTION] unexpected: Documentation and examples suggest adding a cron job for periodic restarts. While helpful, scheduling persistent system-level cron jobs increases persistence beyond the agent invocation and is not strictly necessary for the player's core functionality.

Review Dimensions

Purpose & Capability: noteThe skill's files (Node server, frontend, start/stop scripts) match the claimed purpose (local web music player). Network downloads (npm install), a local server on port 3000, and an optional public tunnel (serveo.net) are plausible for sharing the UI. However documentation is inconsistent about the tunnel default (some docs claim default enabled; others show DEFAULT=false), which is an important behavioral mismatch users must notice.
Instruction Scope: concernSKILL.md instructs the agent to check and start /projects/.openclaw/skills/qq-music-radio/start.sh, create or verify a serveo.net tunnel, and return a PUBLIC_URL. That gives the agent explicit permission to run npm install, launch a background Node process, and establish an internet-exposed SSH reverse tunnel. It also includes examples that create cron jobs and automatic restarts — these expand the skill's runtime scope beyond one-off serving and can persistently expose the host. While these actions are coherent with a shareable web player, they are high-impact and the default behavior is unclear because of contradictory documentation.
Install Mechanism: noteThere is no formal install spec, but start.sh (and start-secure.sh) will run npm install in player/ on first run, pulling packages from the npm registry (express, axios, cors, dotenv). Downloading from the public npm registry is expected for a Node app, but it is a network operation that fetches executable code at runtime — moderate risk if you don't run it in an isolated environment.
Credentials: okThe skill does not request secrets or external service credentials. Environment variables mentioned (ENABLE_TUNNEL, PORT, LOG_FILE, TUNNEL_SERVICE) are reasonable configuration knobs for a local server/tunnel. No unrelated credentials or access to other skills' config paths are requested.
Persistence & Privilege: notealways:false and model invocation are normal. The skill does create a background server process (node server-qqmusic.js &) and writes PID/log files to /tmp; documentation also suggests optional cron-based health checks/restarts. This is expected for a long-running service but does mean the skill can persist on the host and re-establish network exposure unless the user disables tunnel and avoids cron setup.