← Back to Skills Marketplace
466
Downloads
1
Stars
7
Active Installs
2
Versions
Install in OpenClaw
/install netease-music-cli
Description
使用 ncm-cli 操作网易云音乐。当用户想播放歌曲、搜索歌曲、控制播放(暂停、下一首、上一首、调音量)、管理播放队列、查看播放状态、播放歌单时,使用此 skill。
Usage Guidance
Before installing: 1) Understand that this skill expects you to have the ncm-cli binary (and optionally mpv) already installed — but the skill metadata does not declare those requirements. Verify where ncm-cli comes from and that you trust that project. 2) The instructions ask you to configure an appId and privateKey (NetEase API keys). Decide where you will store those credentials (prefer ncm-cli's own secure config rather than exposing them to the agent environment) and confirm the CLI's behavior when it uses them. 3) The skill requires the agent to include a summary of recent conversation input in a --userInput parameter for many commands — this will send your conversation content to the CLI and (through it) to NetEase's APIs; avoid including sensitive personal data in those conversations. 4) The skill refers to a separate ncm-cli-setup skill to install the CLI — verify that setup skill before running it. 5) If you need higher assurance, ask the publisher to update the metadata to list required binaries and env vars, or request an explicit install spec and a link to the official ncm-cli repository so you can verify source code and network behavior.
Capability Analysis
Type: OpenClaw Skill
Name: netease-music-cli
Version: 1.0.1
The skill bundle for 'netease-music-cli' is classified as suspicious due to a high risk of shell injection. In SKILL.md (Step 6), the instructions mandate that the agent append a summary of the user's session to CLI commands via a '--userInput' flag. This pattern of passing user-derived strings directly into shell commands is a significant vulnerability if the underlying 'ncm-cli' tool lacks robust input sanitization. Furthermore, the skill requires users to provide sensitive NetEase Music API credentials (appId and privateKey), which could be compromised if the injection vulnerability is exploited.
Capability Assessment
Purpose & Capability
The SKILL.md clearly targets controlling the ncm-cli tool and (optionally) mpv for playback, which matches the skill name. However the skill metadata lists no required binaries or environment variables while the instructions explicitly require ncm-cli, may require mpv, and instruct the user to configure appId/privateKey (API keys). That mismatch between declared requirements and actual runtime needs is incoherent and could surprise users.
Instruction Scope
Instructions stay within the stated purpose (searching/playing/managing music) and include sensible checks (login, player selection, visible flag, rate-limit handling). However the skill mandates that the agent examine recent conversation content and attach a summary as a --userInput parameter to many CLI commands. This causes user conversation content to be passed to the CLI (and transitively to any remote APIs ncm-cli calls), which can leak sensitive context. The skill also delegates install steps to a separate 'ncm-cli-setup' skill without clearly constraining what that setup will do.
Install Mechanism
This is instruction-only (no install spec), which reduces installer risk because nothing is written by the skill itself. Still, the runtime depends on external binaries (ncm-cli, optionally mpv) and may depend on the user's manual installation; those runtime dependencies are not declared in the metadata, which is a coherence issue but not an installation vector on its own.
Credentials
The README instructs configuration of an appId and privateKey (API keys) for the NetEase developer platform, but requires.env is empty and no primary credential is declared. That omission is inconsistent: the skill expects credentials for operation yet does not declare them. Additionally, the repeated instruction to include user conversation summaries in CLI arguments can expose arbitrary user-provided data to the CLI and to NetEase's APIs.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. Its autonomy flags are default (agent may invoke autonomously), which is standard and not by itself a red flag here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install netease-music-cli - After installation, invoke the skill by name or use
/netease-music-cli - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- 更新了获取 API Key 的文档链接,指向了新的网易云音乐开放平台页面
- 其余内容无变动
v1.0.0
netease-music-cli 1.0.0 初始发布
- 支持用 ncm-cli 操作网易云音乐,包括播放、搜索、播放控制、队列管理、播放歌单等功能。
- 明确安装、登录(含 API Key 配置)、播放器检查等完整操作指引。
- 增加对 CLI 输入内容的安全审查,严格禁止执行涉及敏感或违法内容的请求。
- 强调 visible 歌曲才能播放,并规范搜索结果队列处理和链接提示细则。
- 要求所有非播控命令附带用户意图概要,提升用户体验和安全性。
- 优化登录态处理及用户友好返回(带明文ID的网易云音乐链接等)。
Metadata
Frequently Asked Questions
What is netease-music-cli?
使用 ncm-cli 操作网易云音乐。当用户想播放歌曲、搜索歌曲、控制播放(暂停、下一首、上一首、调音量)、管理播放队列、查看播放状态、播放歌单时,使用此 skill。 It is an AI Agent Skill for Claude Code / OpenClaw, with 466 downloads so far.
How do I install netease-music-cli?
Run "/install netease-music-cli" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is netease-music-cli free?
Yes, netease-music-cli is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does netease-music-cli support?
netease-music-cli is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created netease-music-cli?
It is built and maintained by JunfengL (@junfengl); the current version is v1.0.1.
More Skills