← 返回 Skills 市场

Hetu Lyrics Blessing

Name: Hetu Lyrics Blessing
Author: trae1oung

作者 Yuqiao Tan · GitHub ↗ · v1.0.2

cross-platform ⚠ suspicious

388

总下载

当前安装

版本数

在 OpenClaw 中安装

/install hetu-lyrics-blessing

功能描述

A daily lyrics blessing skill that sends a random Hetu (河图) song lyric to a designated recipient every day at 23:00. Lyrics are fetched from Baidu Baike usin...

使用说明 (SKILL.md)

Hetu Lyrics Blessing (河图歌词祝福)

Daily send a random Hetu (河图) song lyric with blessing message.

Features

🎵 Lyrics fetched from Baidu Baike (baike.baidu.com) via agent-browser
⚠️ NEVER modify lyrics - always fetch exact text
💌 Personalized blessing message
📧 Email delivery via SMTP
⏰ Scheduled daily at 23:00

Directory Structure

hetu-lyrics-blessing/
├── SKILL.md
└── scripts/
    └── send_lyrics.py   # Main script with browser automation

How It Works

Randomly select a song from predefined list
Use agent-browser to open Baidu Baike page
Extract exact lyrics from the page
Send email with lyrics + blessing

Quick Start

1. Install Dependencies

npm install -g agent-browser
agent-browser install --with-deps

2. Configure SMTP

Edit send_lyrics.py:

SMTP_SERVER = "smtp.qq.com"
SMTP_PORT = 465
SMTP_EMAIL = "[email protected]"
SMTP_PASSWORD = "your_auth_code"
TO_EMAIL = "[email protected]"

3. Set up Cron

# Run daily at 23:00
crontab -l | { cat; echo "0 23 * * * /path/to/send_lyrics.py >> /path/to/log.txt 2>&1"; } | crontab -

Important Rules

⚠️ ALWAYS fetch from https://baike.baidu.com
⚠️ NEVER guess or modify lyrics
⚠️ If lyrics not found, use predefined backup
Include source URL in every message

安全使用建议

Do not run this skill as-is. Specific concerns: (1) The included Python script contains hard-coded SMTP credentials and a fixed recipient — treat these as compromised secrets; do not run with these values. (2) The metadata does not declare the agent-browser dependency or required env vars, so the skill is inconsistent and could behave unexpectedly. Before installing: remove or replace hard-coded credentials, require SMTP config via environment variables or a secure secret store, verify you control the SMTP account and recipient, and rotate any exposed credentials immediately. Also confirm that automated scraping of baike.baidu.com complies with site terms. If you cannot verify the source/owner of this skill or why real credentials are embedded, prefer not to install it.

功能分析

Type: OpenClaw Skill Name: hetu-lyrics-blessing Version: 1.0.2 The skill is classified as suspicious primarily due to the hardcoded, real-looking SMTP credentials (email and application password) found in `scripts/send_lyrics.py`. While the `SKILL.md` instructs the user to configure these values, distributing a skill with active, hardcoded credentials is a significant security vulnerability. If a user installs and runs this skill without modifying the script, it will immediately attempt to send emails using the provided `[email protected]` account, which constitutes unauthorized use of an email account from the perspective of the installing user. Additionally, the use of `subprocess.run(..., shell=True)` in `scripts/send_lyrics.py` presents a potential shell injection vulnerability, although it is not immediately exploitable in this specific context as inputs are from trusted, hardcoded sources.

能力评估

⚠ Purpose & Capability

The skill's purpose (daily email of lyrics) matches the code: it fetches pages with an automated browser and sends mail via SMTP. However the package metadata declares no required binaries or env vars while SKILL.md instructs installing a global npm tool (agent-browser) and configuring SMTP — this mismatch is incoherent. A legitimate skill should declare the agent-browser dependency and require SMTP credentials (ideally via env vars), not leave them implicit.

⚠ Instruction Scope

SKILL.md instructs installing and using agent-browser to fetch exact lyrics and to edit send_lyrics.py with SMTP credentials and a cron entry. The runtime instructions and the script explicitly invoke agent-browser to fetch full page text and then extract lyrics — within scope. The problem: the instructions tell you to supply credentials, but the distributed script already contains functioning, hard-coded SMTP credentials and a fixed recipient, which is unexpected and risky.

ℹ Install Mechanism

There is no install spec in the registry (instruction-only), but SKILL.md requires installing agent-browser via npm (-g). Installing a global npm package is a standard action but entails network installs; that step is not declared in the metadata. The skill does not download arbitrary archives or use obscure URLs, so install risk is moderate but should be declared.

⚠ Credentials

The skill requests no environment variables in metadata, yet the script contains hard-coded SMTP credentials (SMTP_EMAIL, SMTP_PASSWORD) and a fixed recipient address. This is a significant mismatch: a mail-sending skill should require SMTP credentials (and preferably read them from env vars) rather than shipping working secrets. Hard-coded credentials in published code are a red flag for misconfiguration, credential leakage, or abuse.

✓ Persistence & Privilege

The skill is not force-installed (always:false) and does not modify other skills or system-wide agent settings. It suggests the user set up a cron job to run the script daily; that is a user action outside the agent and not an elevated platform privilege.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install hetu-lyrics-blessing
安装完成后，直接呼叫该 Skill 的名称或使用 /hetu-lyrics-blessing 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

- Now fetches lyrics directly from Baidu Baike using agent-browser automation. - Ensures lyrics are always exact—never guessed or modified. - SKILL.md updated with clearer usage rules and detailed automation setup instructions. - Requires installation of agent-browser and related dependencies. - Includes a failsafe: falls back to a local backup if lyrics can’t be fetched.

v1.0.1

- Minor update to scripts/send_lyrics.py - No changes to features or documentation - Functionality and usage remain the same

v1.0.0

- Initial release of hetu-lyrics-blessing. - Sends a random Hetu (河图) song lyric with a personalized blessing message daily at 23:00. - Lyrics sourced from Baidu Baike for accuracy. - Delivery via email using configurable SMTP settings. - Designed for daily medicine reminders, warm messages, or blessings with ancient style Chinese lyrics.

元数据

Slug hetu-lyrics-blessing

版本 1.0.2

许可证 —

累计安装 0

当前安装数 0

历史版本数 3

常见问题