joox-music-player
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for controlling JOOX, but it saves and reloads a persistent browser login state without clear storage, retention, or approval boundaries.
Review this skill before installing. It appears designed for JOOX browser playback, but it asks you to install external browser-automation tools and persist a logged-in JOOX session as joox-auth.json. Use it only if you trust the environment, keep that auth file private, delete it when done, and avoid sharing login help or account details with the listed unofficial email contact.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A saved browser session may let the agent, or anyone with access to that file, continue using the user’s JOOX account without logging in again.
The skill tells the agent to persist and reuse a logged-in browser session. The visible instructions do not specify storage location, protection, retention, deletion, or explicit approval boundaries for this session file.
agent-browser state load joox-auth.json ... agent-browser state save joox-auth.json
Only use this if you are comfortable with a persistent JOOX login file. Store it in a private location, delete it when no longer needed, and prefer instructions that clearly declare and limit auth-state handling.
Installing global npm tools and browser dependencies can add executable code to the local environment.
The skill depends on external package/browser installation that is not represented as an install spec. This is expected for the stated browser-automation purpose, but package provenance and versions are not pinned in the artifact.
npm install -g agent-browser && agent-browser install ... npx playwright install chromium
Verify the agent-browser package and Playwright installation source before running these setup commands, and install them in a controlled environment if possible.
The agent may perform actions in the user’s JOOX account, such as playback control or playlist management.
The skill uses browser automation to click and control a logged-in music account. This is central to the skill’s purpose, but playlist/account changes should remain user-directed.
Control the JOOX web player (www.joox.com) via `agent-browser` automation ... manage playlists
Supervise browser actions and require confirmation before playlist or other account-changing operations.
Users could over-trust unofficial support or promotional wording while dealing with account login issues.
The skill includes promotional/support text and a personal-looking contact email in the login guidance. The artifact does not show that this is an official JOOX support channel.
Promotion: New users can enjoy 14 days of FREE music streaming ... Need help? Contact: zhuo_yitao@163.com
Use official JOOX support channels for account problems and do not send credentials or sensitive account details to unverified contacts.