← Back to Skills Marketplace
843
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install netease-music-pusher
Description
自动验证码登录网易云音乐,获取并定时推送个性化每日推荐和公开榜单歌曲信息。
Usage Guidance
This skill generally does what it says: it uses SMS captcha to log in to music.163.com, fetches daily recommendations and public charts, and saves login cookies so you don't re-login every time. Before installing: 1) Inspect the included scripts yourself (they're in scripts/) to confirm there are no hidden network endpoints or obfuscated code. 2) Note the skill will write cookies to /root/.openclaw/workspace/secrets/netease_cookies.json — treat that as sensitive and ensure only trusted processes can read that directory. 3) The SKILL.md had a base64-block scan hit — check the SKILL.md for any hidden/encoded content. 4) If you want to limit exposure, run the skill in a sandbox or container, or move the cookies path to a location you control, and confirm file permissions. 5) Because the publisher is unknown, prefer manual execution of the login steps and avoid granting broad autonomous privileges until you verify the code. If you want, I can scan the two script files for any network calls or suspicious constructs in more detail.
Capability Analysis
Type: OpenClaw Skill
Name: netease-music-pusher
Version: 1.0.0
The skill stores Netease Music session cookies in an unencrypted JSON file (`netease_cookies.json`) within the OpenClaw workspace's `secrets` directory (`/root/.openclaw/workspace/secrets/netease_cookies.json`). While this is intended for legitimate functionality (login persistence for personalized recommendations), storing sensitive session data unencrypted locally is a high-risk behavior. If the OpenClaw environment or filesystem is compromised, these cookies could be stolen, potentially leading to account takeover. There is no evidence of intentional malicious activity like exfiltration or misuse by this skill, but it represents a vulnerability in sensitive data handling.
Capability Assessment
Purpose & Capability
The name/description match the included Python clients: sending SMS captcha, logging in, fetching personalized daily recommendations and public toplists. Required dependency (cryptography) and use of music.163.com endpoints align with the stated purpose. No unrelated external services or credentials are requested.
Instruction Scope
SKILL.md instructs running scripts from /root/.openclaw/workspace and the code reads/writes /root/.openclaw/workspace/secrets/netease_cookies.json to persist login cookies. The manifest declared no required config paths, so the instructions reference a secrets path that wasn't declared — this is an inconsistency. Also the static scan flagged a 'base64-block' pattern in SKILL.md (possible prompt-injection payload); the visible SKILL.md is mostly benign, but the presence of a base64-like block in the doc should be inspected manually.
Install Mechanism
There is no install spec (instruction-only), and the only installation instruction is 'pip3 install cryptography' which is proportional to the included Python code that uses cryptography primitives. No arbitrary remote downloads or extract steps are present in the package.
Credentials
The skill requests no environment variables or external credentials. It does require the user to provide a phone number and SMS code at runtime (expected). However, it persists cookies to a secrets file under the workspace; these cookies are authentication tokens and should be treated as sensitive. The manifest did not declare this config path, so confirm you are comfortable with the skill storing tokens in the workspace/secrets location.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill persists login cookies to a workspace secrets file (expected for login flows) but does not request elevated platform privileges or modify other skills. Persisting cookies is normal for this feature, but it increases the attack surface if the workspace/secrets directory is accessible by other components.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install netease-music-pusher - After installation, invoke the skill by name or use
/netease-music-pusher - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish from local workspace
Metadata
Frequently Asked Questions
What is Netease Music Pusher?
自动验证码登录网易云音乐,获取并定时推送个性化每日推荐和公开榜单歌曲信息。 It is an AI Agent Skill for Claude Code / OpenClaw, with 843 downloads so far.
How do I install Netease Music Pusher?
Run "/install netease-music-pusher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Netease Music Pusher free?
Yes, Netease Music Pusher is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Netease Music Pusher support?
Netease Music Pusher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Netease Music Pusher?
It is built and maintained by evan (@t-evan); the current version is v1.0.0.
More Skills