ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Music Skill

Search songs, download playable audio, fetch lyrics, parse music share links, configure platform cookies, and switch music sources through a local go-music-a...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 148 · 1 current installs · 1 all-time installs
by@scavin
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and instructions. The skill installs and runs a go-music-api binary, talks to its local HTTP API, downloads audio and cover art, and embeds metadata — all expected for a 'music' skill.
Instruction Scope
Runtime instructions are focused on installing/starting a local backend, searching, streaming, and embedding metadata. Note: embed_metadata.py will fetch cover images (remote URLs) and lyric endpoints; docs/cookies.md and SKILL.md instruct users to post account cookies to the local backend when needed. These network operations are coherent with the feature set but mean the skill will perform outbound network requests (GitHub for releases and possibly remote cover image hosts).
Install Mechanism
There is no registry install spec; instead bundled shell/PowerShell scripts fetch release assets from GitHub Releases (api.github.com and browser_download_url) and extract native binaries into ~/.openclaw/music. Downloading from GitHub releases is a common pattern but carries the usual risk of running third-party native binaries — the script includes basic validation (file type / PE header checks).
Credentials
The skill declares no required env vars, credentials, or config paths beyond creating and using ~/.openclaw/music and ~/.openclaw/media. Asking users to provide cookies for login-only tracks is expected and explicitly documented; no unrelated secrets are requested.
Persistence & Privilege
The skill does not set always:true, does not modify other skills, and limits its runtime files to ~/.openclaw/music and ~/.openclaw/media. It runs a background process (the downloaded binary) and records pid/port/log — this is expected for a local backend.
Assessment
This skill is coherent with its description, but it will download and run a native binary from GitHub Releases and will write files under ~/.openclaw/music and ~/.openclaw/media. Before installing, verify the upstream repository/release (https://github.com/scavin/Music-Skill and the referenced upstream binary repo guohuiyuan/go-music-api), and prefer releases from a known maintainer. Consider running the install in a sandbox or VM if you don't trust the binary. The skill may fetch cover images and lyrics from remote hosts and can accept user-provided cookies (which are sent to the local backend); only provide cookies you are comfortable storing locally and avoid sharing full cookie strings unless you understand the privacy implications. If you want stronger assurance, request checksums/signatures for the release binaries or inspect the upstream go-music-api source and release artifacts first.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.0.2
Download zip
0.0.1vk977b25w64yrp7bnxghgcgt04h83gw1flatestvk9745gpj0rnxw7t12wfyx3cc8x83merw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

go-music-api

Use this skill to install and run a local go-music-api backend, search tracks across sources, download audio, embed metadata, and recover from source failures.

Primary workflow

Prefer the bundled scripts instead of reimplementing the flow by hand.

Route by platform

  • On Linux or macOS, use scripts/install.sh and scripts/play.sh.
  • On Windows, read docs/windows.md before proceeding.
  • When the user mentions cookies, VIP-only tracks, grey tracks, or login-required tracks, read docs/cookies.md.

Linux/macOS install

Run:

scripts/install.sh

The install script should:

  • install go-music-api into ~/.openclaw/music
  • choose a usable local port
  • start the backend in the background
  • verify health with a local API request

Linux/macOS download

Run:

scripts/play.sh "稻香" "$HOME/.openclaw/media/daoxiang.mp3"

The play script should:

  • search by query
  • handle nested search payloads such as data.data, data.list, or data.songs
  • rank candidates by song title, artist, and source quality
  • avoid karaoke, cover, remix, live, DJ, and instrumental variants when possible
  • download the audio stream to the requested path
  • reuse cached files when an equivalent file already exists
  • call scripts/embed_metadata.py to write title, artist, album, cover art, and embedded lyrics when available

Prefer saving final media under a sendable location such as ~/.openclaw/media/.

Manual API workflow

Use this only for debugging or when the helper scripts need changes.

  1. Ensure the backend is installed and running.
  2. Read ~/.openclaw/music/port on Linux/macOS or %USERPROFILE%\.openclaw\music\port on Windows; default to 8080 if absent.
  3. Search with GET /api/v1/music/search?q={q}.
  4. Parse list results from the top-level response or nested data.* collections.
  5. Choose the best candidate.
  6. Download audio with GET /api/v1/music/stream?id={id}&source={source}.
  7. Treat the stream response as audio bytes, not JSON.
  8. If playback fails, try GET /api/v1/music/switch?... to switch source and retry.
  9. If user provides account cookies, read docs/cookies.md, set them with POST /api/v1/system/cookies, and verify with GET /api/v1/system/cookies.
  10. Fetch lyrics with GET /api/v1/music/lyric?id={id}&source={source} when needed.

Files and state

Runtime files live under ~/.openclaw/music (Linux/macOS) or %USERPROFILE%\.openclaw\music (Windows):

  • binary: go-music-api (Linux/macOS) or go-music-api.exe (Windows)
  • log: log.txt
  • pid: pid
  • port: port
  • cache index: cache-index.json

Failure handling

  • If installation fails, check platform and architecture detection, GitHub Releases reachability, and required tools such as curl, tar, unzip, and file (Linux/macOS) or the Windows requirements in docs/windows.md.
  • Match release asset names exactly. Do not use loose matching that could select .deb or .rpm packages.
  • Accept only native executables after extraction. Fail immediately for text files, HTML, scripts, or package files. On Windows, validate the PE header (MZ signature).
  • If metadata embedding is required, ensure Python and mutagen are available. If not, skip metadata embedding or install the dependency before retrying.
  • If certain tracks fail due to platform restrictions, ask for platform cookies and apply them via /api/v1/system/cookies before switching sources.
  • If startup health checks fail, inspect the runtime log.txt.
  • If the backend always binds to a fixed port in practice, simplify the port logic instead of pretending dynamic ports work.

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…