Security audit
Security checks across malware telemetry and agentic risk
This vocal-extraction skill appears legitimate, but it automatically installs and changes software on the machine more broadly than its metadata discloses.
Install only if you are comfortable with the skill downloading large third-party ML/audio packages, modifying Python packaging tools, creating persistent local environments and caches, and auto-installing ffmpeg. Prefer running it in an isolated OpenClaw environment, container, or disposable account, and review dependency sources before processing sensitive folders.
"""专门为老项目(使用 pkg_resources 的 setup.py)修复 setuptools 版本"""
logger.info("🔧 正在修复 setuptools 版本(兼容旧 GitHub 包构建)...")
try:
subprocess.check_call([
sys.executable, "-m", "pip", "install",
"--quiet", "--force-reinstall", "setuptools<=81.2.0", "wheel"
])# 第一步:尝试 import 检查(最快)
try:
parts = import_name.split('.')
mod = __import__(parts[0])
for part in parts[1:]:
mod = getattr(mod, part)
if sub_import:cmd.extend(["-i", "https://pypi.tuna.tsinghua.edu.cn/simple"])
try:
subprocess.check_call(cmd)
logger.info(f"✅ {spec} 安装/升级完成!")
except subprocess.CalledProcessError as e:# ==================== 1. 检查是否已安装 + 版本是否满足 ====================
try:
__import__(import_name)
# 尝试获取当前版本
try:logger.warning(f"🔧 正在安装 {install_str} ...")
try:
subprocess.check_call([
sys.executable, "-m", "pip", "install",
install_str,
"-i", "https://pypi.tuna.tsinghua.edu.cn/simple",sys.executable, "-m", "pip", "install",
"--upgrade", fallback_zip, "--quiet"
]
subprocess.check_call(cmd_fallback)
logger.info(f"✅ 使用本地包 {fallback_zip} 安装成功!")
return
except subprocess.CalledProcessError as e2:# 安装 PyTorch
logger.info("正在安装 PyTorch(~2-3GB,请耐心等待)...")
subprocess.check_call([
str(venv_python), "-m", "pip", "install", "torch", "torchvision", "torchaudio",
"--index-url", index_url
])logger.info("安装 audio-separator CPU 版 + librosa...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])
logger.info("✅ 虚拟环境及所有依赖安装完成!")subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])
logger.info("✅ 虚拟环境及所有依赖安装完成!")# 安装 audio-separator + librosa(你提到的)
if use_gpu:
logger.info("安装 audio-separator GPU 版 + librosa...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[gpu]", "librosa"])
else:
logger.info("安装 audio-separator CPU 版 + librosa...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[gpu]", "librosa"])
else:
logger.info("安装 audio-separator CPU 版 + librosa...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])# 🔥 关键:自动输入 Y(默认 yes),彻底无交互
logger.info(" 自动确认下载中...")
subprocess.run(["ffdl", "install"], input="Y\n", text=True, check=True)
# 下载完后刷新模块
importlib.reload(ffdl)66/66 vendors flagged this skill as clean.