← Back to Skills Marketplace
229
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xi-lrc-editor
Description
专业LRC歌词创作工具,支持歌曲音频波形可视化、歌词时间轴精准打点、LRC导入/导出、播放实时高亮、毫秒级时间戳编辑、自动本地存储防止数据丢失。前端使用jQuery+WaveSurfer.js开发,后端Python Flask,默认端口698,界面紧凑高效。使用场景:(1) 为歌曲制作LRC歌词文件 (2) 编辑...
Usage Guidance
This tool appears to be a legitimate local LRC editor, but exercise caution before running it:
- Network exposure: The Flask app binds to 0.0.0.0 (all interfaces). If you run this on a machine connected to a network, others on that network could access the /upload and /shutdown endpoints. To limit exposure, edit web/app.py to use host='127.0.0.1' before launching.
- Unauthenticated endpoints: /upload accepts files and saves them temporarily using the original filename (no secure_filename sanitization) — this can allow filename tricks and unexpected writes in the temp directory. Consider hardening by using werkzeug.utils.secure_filename and validating the saved path.
- /shutdown is callable by any HTTP client that can reach the service; remove or protect it (e.g., require a token) if you plan to run on a networked host.
- Automatic pip installs: start_server.py will pip install packages into the active Python environment. Run it inside a dedicated virtual environment (venv) to avoid contaminating your system Python and to inspect the packages before installation.
- External JS CDN: the frontend loads jQuery and WaveSurfer from jsDelivr. If you need an offline or fully-audited install, vendor those scripts locally.
- Run safely: run the skill on an isolated machine or container, inspect/modify the code as above (bind to localhost, sanitize filenames, protect shutdown), and prefer using a venv. If you want, I can show exact code changes to harden the app (change host, add filename sanitization, or protect the shutdown endpoint).
Capability Analysis
Type: OpenClaw Skill
Name: xi-lrc-editor
Version: 1.1.0
The skill is a functional LRC lyric editor, but it contains a path traversal vulnerability in `web/app.py` because it saves uploaded files using the unsanitized `file.filename` from the request. This could allow an attacker to overwrite or delete files outside the intended temporary directory. Additionally, `start_server.py` automatically executes `pip install` for several dependencies, which is a high-privilege action that introduces supply chain risks, although this behavior is documented in `SKILL.md`.
Capability Assessment
Purpose & Capability
Name/description match the code: a Flask-based local web UI that generates waveform data and helps create/export LRC files. Required capabilities (pydub, numpy, Flask) are consistent with waveform generation and a backend.
Instruction Scope
SKILL.md instructs users to run the included start_server.py and says the service is reachable at http://localhost:698, but the Flask app binds to 0.0.0.0 (all interfaces), which can expose the service on the LAN. The app exposes an unauthenticated /upload endpoint that saves uploaded audio to the system temp dir (using the original filename without sanitization) and an unauthenticated /shutdown endpoint that terminates the process. The instructions do not mention these network exposure and authentication implications.
Install Mechanism
start_server.py automatically runs pip install for flask, pydub, and numpy at runtime. Installing dependencies automatically is convenient and consistent with the stated purpose, but it runs pip in the host Python environment (no virtualenv) and performs network installs from PyPI without prompting—this has expected but non-trivial operational risk.
Credentials
The skill requests no environment variables or credentials and does not require unrelated secrets. That is proportionate to its stated purpose.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. However, it binds the server to 0.0.0.0 (making it reachable from the network), and provides an unauthenticated /shutdown endpoint and unauthenticated /upload endpoint—these increase the blast radius if run on a machine reachable by others.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xi-lrc-editor - After installation, invoke the skill by name or use
/xi-lrc-editor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
lrc 歌词创作工具 1.1.0 发布。全新专业级歌词编辑体验:
- 支持音频波形可视化与毫秒级精准打点,歌词制作更高效直观
- 新增LRC导入/导出与实时高亮同步,批量调整歌词时间点
- 自动本地存储编辑内容,防止数据丢失
- 完善快捷键支持、现代响应式UI和一键关闭服务功能
- 后端采用Flask,前端基于jQuery+WaveSurfer.js,界面紧凑高效
Metadata
Frequently Asked Questions
What is Local LRC Editor 专业LRC歌词创作工具?
专业LRC歌词创作工具,支持歌曲音频波形可视化、歌词时间轴精准打点、LRC导入/导出、播放实时高亮、毫秒级时间戳编辑、自动本地存储防止数据丢失。前端使用jQuery+WaveSurfer.js开发,后端Python Flask,默认端口698,界面紧凑高效。使用场景:(1) 为歌曲制作LRC歌词文件 (2) 编辑... It is an AI Agent Skill for Claude Code / OpenClaw, with 229 downloads so far.
How do I install Local LRC Editor 专业LRC歌词创作工具?
Run "/install xi-lrc-editor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Local LRC Editor 专业LRC歌词创作工具 free?
Yes, Local LRC Editor 专业LRC歌词创作工具 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Local LRC Editor 专业LRC歌词创作工具 support?
Local LRC Editor 专业LRC歌词创作工具 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Local LRC Editor 专业LRC歌词创作工具?
It is built and maintained by 小潴 (@xiyunnet); the current version is v1.1.0.
More Skills