Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
purevocals-uvr-automator
v1.0.3当用户想要**一键批量从音频文件中提取超干净纯人声(干声 / Vocals Only)**、去除伴奏/背景音乐时,自动调用此技能。 一键音频人声分离工具。专门从音频文件(.mp3/.wav/.flac等)中提取超干净干声(Acapella)或去除背景音制作伴奏。 核心用途:支持单个音频文件或整个文件夹批量处理(....
⭐ 0· 126·0 current·0 all-time
by顶尖王牌程序员@wangminrui2022
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (bulk vocal extraction using UVR/audio-separator) align with the included scripts. The code implements audio processing, model download/caching, ffmpeg setup, GPU detection, and uses audio-separator CLI — all expected for the stated function.
Instruction Scope
SKILL.md instructs the agent to run scripts/purevocals.py which in turn will scan input paths, create output folders, trim sample files if requested, and call the audio-separator CLI. The README/SKILL.md mention virtualenv management and model downloads, which the code implements. The runtime will execute many subprocesses (pip installs, ffmpeg installer, audio-separator CLI) and probe system state (nvidia-smi, standard filesystem paths). The skill does not request credentials or read unrelated environment variables, but it will access/modify files under the skill directory and any user-specified input/output paths.
Install Mechanism
There is no separate install spec; instead the scripts auto-create/activate a virtualenv and perform runtime pip installs (including torch and audio-separator), download models (GitHub), and download ffmpeg using ffmpeg-downloader. Sources used are common (pypi mirror, download.pytorch.org, GitHub releases), but runtime installation of large binary wheels (PyTorch) and external binaries increases operational risk (network access, long downloads, large disk usage). This behavior is expected for local model-based audio processing but is higher-risk than a pure instruction-only skill.
Credentials
The skill requests no secrets or external credentials. It requires only 'python' on PATH and writes models, logs, and venv under the skill area. Access to the filesystem (input/output paths) and ability to run nvidia-smi are necessary for GPU detection and processing, so the requested accesses are proportionate to its purpose.
Persistence & Privilege
The scripts create a persistent virtual environment (VENV_DIR) under the skills tree and cache models/logs under the skill root. The config indicates the venv path is shared (skills/venv), which can increase blast radius because multiple skills may end up using the same venv. The skill also persists downloaded model files and ffmpeg binaries. While 'always' is false and it is user-invocable, the persistent installations and shared venv are noteworthy and warrant caution.
Assessment
This skill is coherent with its stated purpose, but it will perform large runtime operations on your machine: it will create/activate a virtual environment, install PyTorch (GBs), install audio-separator and other Python packages via pip (using a mirror), download pretrained model files and ffmpeg binaries, and run subprocesses (including nvidia-smi) to detect GPU. It does not request credentials, but it will write files under the skill directory (models, venv, logs) and any input/output paths you give it. Before installing or invoking: 1) Ensure you trust the author/sources; 2) Expect substantial network and disk usage and long installs; 3) If you want to limit risk, run the script manually in an isolated environment or container (so installs are contained) or inspect/modify VENV_DIR to use a per-skill venv instead of a shared one; 4) Avoid pointing the skill at folders containing sensitive files; 5) If you need stricter control, run the code locally yourself and review the model download URLs and pip install commands. Overall the behavior is expected for a local model-based audio tool, but treat the automatic installs and shared venv as non-trivial operational changes and proceed accordingly.Like a lobster shell, security has layers — review code before you run it.
latestvk972jwd51qjhrvqa4s26h190d184a088
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython