← 返回 Skills 市场

cmus Music Player

Name: cmus Music Player
Author: nhathuynguyen19

作者 nhathuynguyen19 · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

130

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cmus

功能描述

AI skill to launch cmus in a Xubuntu terminal and enforce playback rules (single track vs shuffle folder). Robust against high latency and headless daemon en...

使用说明 (SKILL.md)

cmus (OpenClaw Playback Controller)

Workflow: Receive file path from yt-dlp -> Launch cmus UI (if not running) -> Wait for socket -> Apply user's specific playback rules -> Play.

Find the active daemon & Launch UI

When OpenClaw runs in the background, it lacks X11/Wayland display variables. The agent MUST inject the environment variables and dynamically poll for the cmus socket instead of using hardcoded sleep.

Execute this precise bash block to ensure the terminal opens and the socket is ready: export DISPLAY=${DISPLAY:-:0.0} export XAUTHORITY=${XAUTHORITY:-$HOME/.Xauthority} export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u)/bus"

if ! pgrep -x cmus > /dev/null; then xfce4-terminal -e cmus & for i in {1..20}; do cmus-remote -C "status" >/dev/null 2>&1 && break sleep 0.5 done fi

Playback Rule Engine

The agent must parse the user's prompt to determine the playback mode. CRITICAL: The agent MUST resolve \x3Cpath_to_file> using eval echo to ensure absolute pathing before passing to cmus-remote.

Mode A: Play track and shuffle the rest (Default)

Trigger Intent: "Play this track", "Open song...", "Play and shuffle". Execute this bash block: TARGET_FILE=$(eval echo "\x3Cpath_to_file>") cmus-remote -C "clear" cmus-remote -C "add $HOME/.openclaw/workspace/music/" cmus-remote -C "set continue=true" cmus-remote -C "set shuffle=true" cmus-remote -f "$TARGET_FILE"

Mode B: Play ONLY the requested track

Trigger Intent: "Play only this track", "Do not shuffle", "Single track mode". Execute this bash block: TARGET_FILE=$(eval echo "\x3Cpath_to_file>") cmus-remote -C "clear" cmus-remote -C "add $TARGET_FILE" cmus-remote -C "set continue=false" cmus-remote -C "set repeat=false" cmus-remote -p

安全使用建议

This skill appears to do what it says (control cmus), but the runtime instructions include risky practices. Most importantly, replace `eval echo "<path_to_file>"` with a safe resolution method (e.g., realpath, readlink -f, or robust shell-safe expansion with strict quoting) to avoid command injection. Be cautious that the skill exports XAUTHORITY and DBUS_SESSION_BUS_ADDRESS — these give the process GUI/session access; only allow that if you trust the skill and run it under your user account (not root). Verify the skill's provenance (registry owner vs _meta.json owner/version mismatch) before granting it access to your desktop environment. If you don't trust it, run it in a sandboxed account or refuse installation. If you choose to use it, test with non-sensitive files and sanitize any user-supplied paths.

功能分析

Type: OpenClaw Skill Name: cmus Version: 1.0.1 The skill contains a significant shell injection vulnerability in SKILL.md due to the use of 'eval echo' on user-provided file paths (<path_to_file>). While intended to resolve absolute paths for the cmus music player, this pattern allows for arbitrary command execution if the input is manipulated. No evidence of intentional malice, data exfiltration, or persistence was found, aligning the behavior with a high-risk implementation flaw rather than malware.

能力评估

✓ Purpose & Capability

The name/description (launch cmus, control playback modes) aligns with required binaries (cmus, cmus-remote, xfce4-terminal, pgrep) and the described workflow. Requiring X-terminal and cmus tools is proportional to the stated goal.

⚠ Instruction Scope

The SKILL.md instructs the agent to export DISPLAY, XAUTHORITY, and DBUS_SESSION_BUS_ADDRESS to access a desktop session — reasonable for launching a GUI but sensitive. Critically, it mandates resolving <path_to_file> via `TARGET_FILE=$(eval echo "<path_to_file>")`, which enables shell metacharacter expansion and command substitution and therefore creates a command-injection/vector for arbitrary code execution if the input is attacker-controlled or malformed. The instructions also reference and add an agent workspace path ($HOME/.openclaw/workspace/music/), which is plausible but should be explicit about expected contents. Polling for the cmus socket and launching the UI are expected behavior.

✓ Install Mechanism

This is an instruction-only skill with no install spec in the registry entry; risk is low because nothing will be written or executed on install. The SKILL.md metadata suggests an apt install hint for cmus, which is reasonable and low-risk.

ℹ Credentials

The skill does not request credentials or external tokens, which is appropriate. However, it instructs the agent to set XAUTHORITY and DBUS_SESSION_BUS_ADDRESS and to rely on $HOME and the user's session bus — these are sensitive environment items because XAUTHORITY grants GUI access and the session DBus can expose user-level IPC. Using them may be necessary to control a GUI music client, but the skill should not encourage blind copying/setting of these values without clear justification or safeguards.

✓ Persistence & Privilege

The skill is not always-enabled and does not request persistent privileges or modify other skills. It does not store tokens or request elevated system-wide privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cmus
安装完成后，直接呼叫该 Skill 的名称或使用 /cmus 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

**Improved reliability and environment compatibility for cmus agent** - Adds robust environment variable injection (DISPLAY, XAUTHORITY, DBUS) to ensure X11 terminal launch in headless/background environments. - Replaces fixed sleep with dynamic polling for the cmus socket to prevent race conditions. - Mandates resolving file paths using eval/echo before playback for maximum compatibility. - Updates metadata to include "pgrep" as a required binary. - Documentation updated with new exact bash instructions and improved process explanations.

v1.0.0

- Initial release of the cmus skill. - Enables launching cmus in an Xubuntu terminal if not already running. - Enforces user-intent playback rules: "play only this track" vs "play and shuffle rest". - Dynamically resolves file paths to absolute paths for reliable playback. - Supports headless playback configuration using cmus-remote commands. - Designed for integration with the yt-dlp download workflow.

元数据

Slug cmus

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题