← Back to Skills Marketplace
Hetu Lyrics Blessing
by
Yuqiao Tan
· GitHub ↗
· v1.0.2
388
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install hetu-lyrics-blessing
Description
A daily lyrics blessing skill that sends a random Hetu (河图) song lyric to a designated recipient every day at 23:00. Lyrics are fetched from Baidu Baike usin...
README (SKILL.md)
Hetu Lyrics Blessing (河图歌词祝福)
Daily send a random Hetu (河图) song lyric with blessing message.
Features
- 🎵 Lyrics fetched from Baidu Baike (baike.baidu.com) via agent-browser
- ⚠️ NEVER modify lyrics - always fetch exact text
- 💌 Personalized blessing message
- 📧 Email delivery via SMTP
- ⏰ Scheduled daily at 23:00
Directory Structure
hetu-lyrics-blessing/
├── SKILL.md
└── scripts/
└── send_lyrics.py # Main script with browser automation
How It Works
- Randomly select a song from predefined list
- Use
agent-browserto open Baidu Baike page - Extract exact lyrics from the page
- Send email with lyrics + blessing
Quick Start
1. Install Dependencies
npm install -g agent-browser
agent-browser install --with-deps
2. Configure SMTP
Edit send_lyrics.py:
SMTP_SERVER = "smtp.qq.com"
SMTP_PORT = 465
SMTP_EMAIL = "[email protected]"
SMTP_PASSWORD = "your_auth_code"
TO_EMAIL = "[email protected]"
3. Set up Cron
# Run daily at 23:00
crontab -l | { cat; echo "0 23 * * * /path/to/send_lyrics.py >> /path/to/log.txt 2>&1"; } | crontab -
Important Rules
- ⚠️ ALWAYS fetch from https://baike.baidu.com
- ⚠️ NEVER guess or modify lyrics
- ⚠️ If lyrics not found, use predefined backup
- Include source URL in every message
Usage Guidance
Do not run this skill as-is. Specific concerns: (1) The included Python script contains hard-coded SMTP credentials and a fixed recipient — treat these as compromised secrets; do not run with these values. (2) The metadata does not declare the agent-browser dependency or required env vars, so the skill is inconsistent and could behave unexpectedly. Before installing: remove or replace hard-coded credentials, require SMTP config via environment variables or a secure secret store, verify you control the SMTP account and recipient, and rotate any exposed credentials immediately. Also confirm that automated scraping of baike.baidu.com complies with site terms. If you cannot verify the source/owner of this skill or why real credentials are embedded, prefer not to install it.
Capability Analysis
Type: OpenClaw Skill
Name: hetu-lyrics-blessing
Version: 1.0.2
The skill is classified as suspicious primarily due to the hardcoded, real-looking SMTP credentials (email and application password) found in `scripts/send_lyrics.py`. While the `SKILL.md` instructs the user to configure these values, distributing a skill with active, hardcoded credentials is a significant security vulnerability. If a user installs and runs this skill without modifying the script, it will immediately attempt to send emails using the provided `[email protected]` account, which constitutes unauthorized use of an email account from the perspective of the installing user. Additionally, the use of `subprocess.run(..., shell=True)` in `scripts/send_lyrics.py` presents a potential shell injection vulnerability, although it is not immediately exploitable in this specific context as inputs are from trusted, hardcoded sources.
Capability Assessment
Purpose & Capability
The skill's purpose (daily email of lyrics) matches the code: it fetches pages with an automated browser and sends mail via SMTP. However the package metadata declares no required binaries or env vars while SKILL.md instructs installing a global npm tool (agent-browser) and configuring SMTP — this mismatch is incoherent. A legitimate skill should declare the agent-browser dependency and require SMTP credentials (ideally via env vars), not leave them implicit.
Instruction Scope
SKILL.md instructs installing and using agent-browser to fetch exact lyrics and to edit send_lyrics.py with SMTP credentials and a cron entry. The runtime instructions and the script explicitly invoke agent-browser to fetch full page text and then extract lyrics — within scope. The problem: the instructions tell you to supply credentials, but the distributed script already contains functioning, hard-coded SMTP credentials and a fixed recipient, which is unexpected and risky.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md requires installing agent-browser via npm (-g). Installing a global npm package is a standard action but entails network installs; that step is not declared in the metadata. The skill does not download arbitrary archives or use obscure URLs, so install risk is moderate but should be declared.
Credentials
The skill requests no environment variables in metadata, yet the script contains hard-coded SMTP credentials (SMTP_EMAIL, SMTP_PASSWORD) and a fixed recipient address. This is a significant mismatch: a mail-sending skill should require SMTP credentials (and preferably read them from env vars) rather than shipping working secrets. Hard-coded credentials in published code are a red flag for misconfiguration, credential leakage, or abuse.
Persistence & Privilege
The skill is not force-installed (always:false) and does not modify other skills or system-wide agent settings. It suggests the user set up a cron job to run the script daily; that is a user action outside the agent and not an elevated platform privilege.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install hetu-lyrics-blessing - After installation, invoke the skill by name or use
/hetu-lyrics-blessing - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Now fetches lyrics directly from Baidu Baike using agent-browser automation.
- Ensures lyrics are always exact—never guessed or modified.
- SKILL.md updated with clearer usage rules and detailed automation setup instructions.
- Requires installation of agent-browser and related dependencies.
- Includes a failsafe: falls back to a local backup if lyrics can’t be fetched.
v1.0.1
- Minor update to scripts/send_lyrics.py
- No changes to features or documentation
- Functionality and usage remain the same
v1.0.0
- Initial release of hetu-lyrics-blessing.
- Sends a random Hetu (河图) song lyric with a personalized blessing message daily at 23:00.
- Lyrics sourced from Baidu Baike for accuracy.
- Delivery via email using configurable SMTP settings.
- Designed for daily medicine reminders, warm messages, or blessings with ancient style Chinese lyrics.
Metadata
Frequently Asked Questions
What is Hetu Lyrics Blessing?
A daily lyrics blessing skill that sends a random Hetu (河图) song lyric to a designated recipient every day at 23:00. Lyrics are fetched from Baidu Baike usin... It is an AI Agent Skill for Claude Code / OpenClaw, with 388 downloads so far.
How do I install Hetu Lyrics Blessing?
Run "/install hetu-lyrics-blessing" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Hetu Lyrics Blessing free?
Yes, Hetu Lyrics Blessing is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Hetu Lyrics Blessing support?
Hetu Lyrics Blessing is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Hetu Lyrics Blessing?
It is built and maintained by Yuqiao Tan (@trae1oung); the current version is v1.0.2.
More Skills