ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

多源音乐下载

v1.0.0

从10个音乐平台搜索并下载MP3,自动切换音源和处理防盗链,保存至/tmp/music目录。

0· 176·0 current·0 all-time
by@wehaha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (multi-source music downloader) matches the implementation: the Python file contains search and download logic for the ten listed music platforms and saves MP3s to /tmp/music. No unrelated services, credentials, or system-level accesses are requested.
Instruction Scope
SKILL.md instructs running the included Python script (it even shows an absolute path under /root/.openclaw/...); the instructions and code operate only on network requests to the listed music sites and write files to /tmp/music. Note: the SKILL.md and code explicitly disable SSL verification and suppress warnings, and the SKILL.md claims 'SSL绕过(已自动处理)' — this is a risky implementation detail (see user guidance).
Install Mechanism
There is no install spec (instruction-only), and the code file is bundled. No external installers, downloads from unknown URLs, or package installs were specified. The skill will run the included Python code when invoked.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the code does not read any environment secrets. Network access is required and used only to contact the listed music platforms.
Persistence & Privilege
always is false and the skill is user-invocable. The script writes downloaded files to /tmp/music (ephemeral filesystem) and does not request persistent elevated privileges or modify system/other-skill configurations.
Assessment
What to consider before installing or running: - The code disables SSL verification (requests.verify=False) and suppresses related warnings; this makes HTTPS requests susceptible to MITM attacks — prefer enabling verification or running in a controlled environment. - The skill downloads content from many third-party music sites and saves files under /tmp/music; verify you are comfortable with legal/terms-of-service implications of scraping/downloading from those sites. - SKILL.md examples use an absolute path (/root/.openclaw/...), which may not match your environment; check and run the script from a non-privileged account. - Because this is an instruction-only skill with bundled code, review the Python file yourself (it is included) before running. If you want to reduce risk: run it in a sandbox/container, change the output directory from /tmp to a safer location, and re-enable SSL verification.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ct3k2pz54q4gvqbpwdg5by9833td5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments