v1.0.0

ClawTune 抓音是一款可以给你带来 AI 音乐的技能，包括听歌和创作。

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:41 AM.

Analysis

ClawTune’s music workflow is coherent, but it deserves review because it stores ClawTune auth/session data locally and includes a broad authenticated API helper.

GuidanceInstall only if you are comfortable with ClawTune scripts calling its online API, creating drafts/orders when you ask, and storing local auth/session files under ~/.openclaw/clawtune. Avoid auth print commands, protect or clear the state directory when needed, and require explicit confirmation before any order-creation or other write action.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/api-request.sh

usage: $0 METHOD PATH [JSON_BODY] ... URL="$BASE_URL$PATH_PART" ... -H "Authorization: Bearer $ACCESS_TOKEN"

The helper accepts arbitrary method, path, and JSON body, then sends the request with the stored bearer token; this can bypass the more scoped playlist/draft/order wrapper scripts.

User impactA mistaken or over-eager agent could make unintended authenticated ClawTune API calls, including service-state changes, rather than staying within the documented workflow.

RecommendationUse the specific scripts for normal flows, require user confirmation before POST/PATCH/order actions, and restrict the generic helper to an allowlist of endpoints and methods.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none ... Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.

The registry metadata does not declare provenance, install details, or runtime binaries even though the package includes shell scripts that rely on local command execution.

User impactUsers have less registry-level information about where the package comes from and what local tools it expects.

RecommendationPublish source/homepage information where possible and declare the script runtime requirements such as bash, curl, and python3.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/auth-bootstrap.sh

AUTH_FILE="$STATE_DIR/auth.json" ... "access_token": access_token ... "refresh_token": refresh_token ... print) ... cat "$AUTH_FILE"

The script stores ClawTune access and refresh tokens in a local auth file and has a print mode that outputs the whole file, including tokens.

User impactIf the auth print mode is used or the local file is exposed, someone could see tokens that authorize ClawTune API actions for this installation.

RecommendationDo not run the auth print mode in normal use, protect the ~/.openclaw/clawtune directory, and prefer a redacted status command that never outputs access or refresh tokens.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/session-state.sh

"current_playlist_id": "", "current_draft_id": "", "current_order_id": "", ... "last_user_intent_summary": ""

The skill persists playlist, draft, order, and user-intent context so it can recover the user’s music workflow later.

User impactMusic ideas, emotional context, and order identifiers can remain in local session state and influence later recovery steps.

RecommendationTreat the session file as private, clear it when a workflow is finished if needed, and avoid relying on stale session context without confirming with the user.