Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Play Music from YouTube
v0.0.9Play music on YouTube via browser automation with playwright-cli. Use when the user wants to: (1) play a specific song (e.g. 'play Money Money Money by ABBA') (2) play songs by an artist as a playlist or mix (e.g. 'play Jay Chou's songs') (3) play genre or mood-based music (e.g. 'play relaxing spa music', 'play 60s Chinese oldies') (4) control playback — next, pause, resume, stop, skip ad, change song, close the player. Also handles song/artist name corrections from voice transcription errors.
⭐ 2· 1.7k·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the runtime instructions: the skill automates a visible browser using playwright-cli to search and control YouTube playback. Requiring the playwright-cli binary is appropriate and proportional to the stated purpose.
Instruction Scope
The SKILL.md prescribes extensive, concrete commands (snapshot → ref → action) and instructs using a visible, persistent browser profile (--persistent, --headed) and searching snapshot files in $WORKSPACE/.playwright-cli and ~/.playwright-cli. These behaviors are coherent with providing stable playback and login persistence, but they mean the skill will create and read on-disk browser state (cookies, localStorage, IndexedDB/cache via persistent profile) and snapshots containing page content and UI refs. There are no instructions to transmit data to external endpoints, but the local persistence and snapshot files can contain sensitive account/session data.
Install Mechanism
This is an instruction-only skill with no install spec or remote downloads; the only runtime dependency is the playwright-cli binary already present on the host. That is the lowest-risk install footprint.
Credentials
The skill declares no environment variables or credentials; it only requires the playwright-cli binary. However, because it uses a persistent browser profile, it will rely on and store any existing local browser session state (e.g., Google sign-in cookies) — this is expected but privacy-relevant.
Persistence & Privilege
always:false and the skill does not request elevated platform privileges or modify other skills. But it explicitly instructs use of --persistent sessions and saving/loading state (state-save/state-load), creating long-lived files in $WORKSPACE/.playwright-cli or ~/.playwright-cli. This gives the skill persistent access to browser session data on disk (cookies, localStorage, service worker state) which increases the blast radius if other actors access those files.
Assessment
This skill appears to do what it says (automating a visible browser with playwright-cli to play YouTube). Before enabling it, consider: (1) it will open a visible browser and by default use a persistent profile that stores cookies, localStorage, and other profile data under $WORKSPACE/.playwright-cli or ~/.playwright-cli — if you are logged into YouTube/Google this lets the skill act as your signed-in user; (2) snapshot and state-save commands will write files (snapshots, auth.json) into your workspace/home that may include sensitive session data — review or run in an isolated workspace if you are concerned; (3) there are no indications the skill exfiltrates data to external servers, but you should install playwright-cli from a trusted source and inspect any files created by the tool; (4) if you prefer less persistence/privacy risk, request headless mode and avoid --persistent or periodically delete the .playwright-cli profile. If you want, I can list exact files and paths the skill may write and provide step-by-step guidance to run it in a disposable workspace.Like a lobster shell, security has layers — review code before you run it.
latestvk97de3br85tszz8yr0xgtn523s80rb3g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
Binsplaywright-cli