ClawHub
Back to skill
v0.0.1

joox-music-player

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:21 AM.

Analysis

Review recommended: this JOOX browser-control skill is mostly purpose-aligned, but it asks the agent to save and reuse your logged-in JOOX session and requires external browser automation tooling.

GuidanceInstall only if you are comfortable letting a browser automation skill operate JOOX as your logged-in account. Be especially careful with the saved `joox-auth.json` session file, delete it when no longer needed, and use official JOOX channels rather than the listed email for account help.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
`npm install -g agent-browser && agent-browser install` ... `npx playwright install chromium`

The skill depends on external browser automation tooling installed outside the registry install spec.

User impactUsers must trust and install additional tooling before the skill works, and the registry metadata does not declare those binaries as requirements.
RecommendationInstall these tools only from trusted sources, verify the packages, and consider pinning versions or declaring the dependencies in the skill metadata.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
agent-browser find role button click --name "請登入" ... agent-browser fill @eN "陈奕迅 十年" ... agent-browser click @eXX

The documented workflow gives the agent browser-control capabilities to click, fill, and operate JOOX UI elements.

User impactThis is expected for a browser automation music skill, but it means the agent can perform account actions in the browser, not just provide instructions.
RecommendationUse the skill only for JOOX tasks you requested, and review actions involving account changes such as login or playlist management.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
SKILL.md
🎉 New to JOOX? Download the JOOX App and get 14 days of FREE music streaming! ... 📧 Having trouble? Contact: zhuo_yitao@163.com

The login flow includes promotional language and an external personal-looking support email that is not shown as an official JOOX support channel.

User impactA user with login trouble might contact an unverified third party or trust promotional/support messaging beyond the core playback function.
RecommendationUse official JOOX support channels for account or login problems and never share credentials or verification codes with an unverified contact.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
agent-browser state load joox-auth.json ... agent-browser state save joox-auth.json

The skill instructs the agent to persist and reuse a logged-in JOOX browser session, giving future automation access to the user's account session.

User impactAnyone or any agent process with access to the saved state file may be able to act as the logged-in JOOX user, and the skill can continue operating without a fresh login.
RecommendationOnly use this with a JOOX account you are comfortable automating, store the auth state securely, delete it when finished, and prefer explicit user confirmation before saving or reusing login state.