← Back to Skills Marketplace

cmus Music Player

Name: cmus Music Player
Author: nhathuynguyen19

by nhathuynguyen19 · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

130

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install cmus

Description

AI skill to launch cmus in a Xubuntu terminal and enforce playback rules (single track vs shuffle folder). Robust against high latency and headless daemon en...

README (SKILL.md)

cmus (OpenClaw Playback Controller)

Workflow: Receive file path from yt-dlp -> Launch cmus UI (if not running) -> Wait for socket -> Apply user's specific playback rules -> Play.

Find the active daemon & Launch UI

When OpenClaw runs in the background, it lacks X11/Wayland display variables. The agent MUST inject the environment variables and dynamically poll for the cmus socket instead of using hardcoded sleep.

Execute this precise bash block to ensure the terminal opens and the socket is ready: export DISPLAY=${DISPLAY:-:0.0} export XAUTHORITY=${XAUTHORITY:-$HOME/.Xauthority} export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u)/bus"

if ! pgrep -x cmus > /dev/null; then xfce4-terminal -e cmus & for i in {1..20}; do cmus-remote -C "status" >/dev/null 2>&1 && break sleep 0.5 done fi

Playback Rule Engine

The agent must parse the user's prompt to determine the playback mode. CRITICAL: The agent MUST resolve \x3Cpath_to_file> using eval echo to ensure absolute pathing before passing to cmus-remote.

Mode A: Play track and shuffle the rest (Default)

Trigger Intent: "Play this track", "Open song...", "Play and shuffle". Execute this bash block: TARGET_FILE=$(eval echo "\x3Cpath_to_file>") cmus-remote -C "clear" cmus-remote -C "add $HOME/.openclaw/workspace/music/" cmus-remote -C "set continue=true" cmus-remote -C "set shuffle=true" cmus-remote -f "$TARGET_FILE"

Mode B: Play ONLY the requested track

Trigger Intent: "Play only this track", "Do not shuffle", "Single track mode". Execute this bash block: TARGET_FILE=$(eval echo "\x3Cpath_to_file>") cmus-remote -C "clear" cmus-remote -C "add $TARGET_FILE" cmus-remote -C "set continue=false" cmus-remote -C "set repeat=false" cmus-remote -p

Usage Guidance

This skill appears to do what it says (control cmus), but the runtime instructions include risky practices. Most importantly, replace `eval echo "<path_to_file>"` with a safe resolution method (e.g., realpath, readlink -f, or robust shell-safe expansion with strict quoting) to avoid command injection. Be cautious that the skill exports XAUTHORITY and DBUS_SESSION_BUS_ADDRESS — these give the process GUI/session access; only allow that if you trust the skill and run it under your user account (not root). Verify the skill's provenance (registry owner vs _meta.json owner/version mismatch) before granting it access to your desktop environment. If you don't trust it, run it in a sandboxed account or refuse installation. If you choose to use it, test with non-sensitive files and sanitize any user-supplied paths.

Capability Analysis

Type: OpenClaw Skill Name: cmus Version: 1.0.1 The skill contains a significant shell injection vulnerability in SKILL.md due to the use of 'eval echo' on user-provided file paths (<path_to_file>). While intended to resolve absolute paths for the cmus music player, this pattern allows for arbitrary command execution if the input is manipulated. No evidence of intentional malice, data exfiltration, or persistence was found, aligning the behavior with a high-risk implementation flaw rather than malware.

Capability Assessment

✓ Purpose & Capability

The name/description (launch cmus, control playback modes) aligns with required binaries (cmus, cmus-remote, xfce4-terminal, pgrep) and the described workflow. Requiring X-terminal and cmus tools is proportional to the stated goal.

⚠ Instruction Scope

The SKILL.md instructs the agent to export DISPLAY, XAUTHORITY, and DBUS_SESSION_BUS_ADDRESS to access a desktop session — reasonable for launching a GUI but sensitive. Critically, it mandates resolving <path_to_file> via `TARGET_FILE=$(eval echo "<path_to_file>")`, which enables shell metacharacter expansion and command substitution and therefore creates a command-injection/vector for arbitrary code execution if the input is attacker-controlled or malformed. The instructions also reference and add an agent workspace path ($HOME/.openclaw/workspace/music/), which is plausible but should be explicit about expected contents. Polling for the cmus socket and launching the UI are expected behavior.

✓ Install Mechanism

This is an instruction-only skill with no install spec in the registry entry; risk is low because nothing will be written or executed on install. The SKILL.md metadata suggests an apt install hint for cmus, which is reasonable and low-risk.

ℹ Credentials

The skill does not request credentials or external tokens, which is appropriate. However, it instructs the agent to set XAUTHORITY and DBUS_SESSION_BUS_ADDRESS and to rely on $HOME and the user's session bus — these are sensitive environment items because XAUTHORITY grants GUI access and the session DBus can expose user-level IPC. Using them may be necessary to control a GUI music client, but the skill should not encourage blind copying/setting of these values without clear justification or safeguards.

✓ Persistence & Privilege

The skill is not always-enabled and does not request persistent privileges or modify other skills. It does not store tokens or request elevated system-wide privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install cmus
After installation, invoke the skill by name or use /cmus
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

**Improved reliability and environment compatibility for cmus agent** - Adds robust environment variable injection (DISPLAY, XAUTHORITY, DBUS) to ensure X11 terminal launch in headless/background environments. - Replaces fixed sleep with dynamic polling for the cmus socket to prevent race conditions. - Mandates resolving file paths using eval/echo before playback for maximum compatibility. - Updates metadata to include "pgrep" as a required binary. - Documentation updated with new exact bash instructions and improved process explanations.

v1.0.0

- Initial release of the cmus skill. - Enables launching cmus in an Xubuntu terminal if not already running. - Enforces user-intent playback rules: "play only this track" vs "play and shuffle rest". - Dynamically resolves file paths to absolute paths for reliable playback. - Supports headless playback configuration using cmus-remote commands. - Designed for integration with the yt-dlp download workflow.

Metadata

Slug cmus

Version 1.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is cmus Music Player?

AI skill to launch cmus in a Xubuntu terminal and enforce playback rules (single track vs shuffle folder). Robust against high latency and headless daemon en... It is an AI Agent Skill for Claude Code / OpenClaw, with 130 downloads so far.

How do I install cmus Music Player?

Run "/install cmus" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is cmus Music Player free?

Yes, cmus Music Player is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does cmus Music Player support?

cmus Music Player is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created cmus Music Player?

It is built and maintained by nhathuynguyen19 (@nhathuynguyen19); the current version is v1.0.1.

More Skills