Netease Music Pusher
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for Netease music recommendations, but it persistently stores login cookies while under-declaring and underplaying that credential risk.
Review before installing. Use it only if you are comfortable saving Netease session cookies under /root/.openclaw/workspace/secrets, protect or delete that file when needed, and add the cron job only if you want recurring automated access. Avoid blindly copying example login values, and consider pinning the Python dependency.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 66
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the cookie file may be able to reuse the Netease login session.
The code persists Netease session cookies locally after login. These cookies can provide continued account access, but the registry metadata declares no primary credential and the docs do not give clear file-permission or deletion guidance.
self.cookies_file = '/root/.openclaw/workspace/secrets/netease_cookies.json' ... json.dump(cookies_dict, f)
Treat the cookie file like a password: restrict permissions, document how to delete or rotate it, and declare the credential/session requirement in metadata.
Users may install or schedule the skill without realizing it stores account-access material on disk.
The README says no sensitive information is stored, but the same artifacts document and implement saving login cookies. Session cookies are sensitive credentials.
账号安全: 验证码登录比密码登录更安全,不存储敏感信息
Change the wording to clearly state that session cookies are stored, explain the risk, and provide cleanup instructions.
If enabled, the job will continue accessing the saved session on the configured schedule.
The skill documents a daily scheduled job. This persistence is disclosed and purpose-aligned, but it means the skill can keep running after setup.
openclaw cron add ... --schedule 0 8 * * * ... netease_client.py daily
Only add the cron job if you want recurring access, and document how to list and remove the scheduled task.
The installed package affects the local Python environment and depends on the package source resolved by pip.
The skill asks the user to install an external Python package without a pinned version or install spec. This is expected for the encryption implementation, but users should notice the dependency.
pip3 install cryptography
Prefer a pinned dependency in an install spec or document the expected version and trusted package source.