← 返回 Skills 市场
a64307410

Release

作者 Jiang Swei · GitHub ↗ · v1.0.6 · MIT-0
cross-platform ⚠ suspicious
332
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install muse-ai
功能描述
AI 音乐创作助手 — 通过对话生成原创歌曲、纯音乐和 BGM。 当用户想要创作、生成、制作任何形式的音乐时使用此技能。 包括:生成带人声的歌曲、写歌词、作曲编曲、制作纯音乐/BGM/配乐,或将文字变成歌曲。 当用户提到具体音乐风格(如"来首民谣""做首说唱")时也应触发。 支持三种模式:灵感模式(一句话生成)、...
安全使用建议
What to check before installing: - Understand the auth flow: the skill asks users to paste a JWT-like token into the chat to register/verify; avoid pasting long-lived or sensitive tokens into conversation logs if you want them private. Consider creating a dedicated/throwaway account or short-lived token for use with this skill. - Backend domain: all network calls go to https://skill-api.muse.top (consistent across scripts). If you plan to use this skill, review that domain and the hosted service's privacy policy before giving credentials. - Local device fingerprinting: the skill computes a device id from hostname/MAC/username, hashes it, stores it in ~/.muse/device_id, and sends the hash as X-Device-Id. This is used server-side for dedup/rate-limiting but is a fingerprinting vector — be aware if you need stronger anonymity. - Inspect files before running install: the included install.sh copies files into CLI skill directories and creates ~/.muse. You can open and audit scripts locally (they use only Python stdlib and urllib). Run install in a controlled environment or sandbox if you have doubts. - Removal: uninstall removes the skill directory but leaves ~/.muse (install.sh documents how to fully delete the data: rm -rf ~/.muse). - If you are privacy-sensitive, either avoid pasting tokens into chat, use a dedicated/limited account, or ask the skill author for an OAuth/browser-based flow that avoids pasting secrets into conversation logs. Overall: the package appears internally coherent with its stated purpose; the main concerns are privacy-sensitive choices (token pasted into chat, local device fingerprinting) rather than evidence of malicious behavior.
功能分析
Type: OpenClaw Skill Name: muse-ai Version: 1.0.6 The skill bundle contains a high-risk command injection vulnerability in SKILL.md, where the AI agent is instructed to execute a bash command using unsanitized user input (the JWT token) via `scripts/register.py verify --token {content}`. Additionally, `scripts/muse_api.py` performs system fingerprinting by collecting the local username, hostname, and MAC address to generate a device ID (X-Device-Id) for API requests to `https://skill-api.muse.top`. While these behaviors are functionally linked to the music generation service, the combination of system tracking and the potential for remote code execution via the agent's command-line interface poses a security risk.
能力评估
Purpose & Capability
The skill's declared purpose (dialog-driven music/song/BGM generation) matches the included scripts and SKILL.md: scripts call a single backend (https://skill-api.muse.top) for styles, lyrics, generation and polling. Persisting a token, task_id and device_id under ~/.muse is coherent with needing login and asynchronous task tracking. No unrelated cloud credentials, binaries, or system config paths are requested.
Instruction Scope
Runtime instructions direct the agent to cd into the skill directory and run the included Python scripts (member-info, generate, query). They also implement a flow that asks the user to paste a JWT-like token into the chat (detected by messages starting with 'eyJ') which the scripts then verify and save to ~/.muse/token. Running those scripts and reading/writing ~/.muse files is expected, but prompting users to paste an auth token into the chat means secrets will appear in the conversation stream unless the agent/user takes care to avoid logging — this is a privacy/usability concern rather than an incoherence.
Install Mechanism
There is an install.sh included which copies the provided files into a skill directory for supported CLIs; it does not download arbitrary code from unknown servers during install. README suggests a git clone URL, but the packaged install script as provided is local and performs file copies, Python checks, and basic migration. No extract-from-remote or URL-shortener downloads were found in the install script.
Credentials
The skill requests no environment variables, but it does read system identifiers (hostname, MAC via uuid.getnode(), and login) to generate a persistent device id which it stores in ~/.muse/device_id and sends as X-Device-Id to the service. While the code hashes these values before storage/transmission, collecting MAC/username is privacy-sensitive and could be used to fingerprint a device. The workflow also asks users to paste an auth token into chat — exposing credentials in conversational logs is a real risk. These behaviors are explainable for the service but are proportionally sensitive and worth considering.
Persistence & Privilege
The skill persists its own state (token, device_id, task_id) under ~/.muse and installs files into a skill directory; it does not request always:true, does not alter other skills, and does not require elevated system privileges. Persistent storage of an auth token and device fingerprint is expected for a logged-in service but increases the persistent blast radius if the local environment or skill files are compromised.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install muse-ai
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /muse-ai 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.6
v1.0.6: token 脚本内部闭环,修复其他模型幻觉导致认证失败
v1.0.5
v1.0.5: token 脚本内部闭环,修复其他模型幻觉导致认证失败
v1.0.4
- fix cmd bug
v1.0.3
Muse-AI 1.0.3 Changelog - No file or SKILL.md changes detected compared to the previous version. - No visible feature updates, bug fixes, or documentation edits in this release.
v1.0.2
ai-music-muse 1.0.2 初始发布 - 修正若干程序不确定性问题。
元数据
Slug muse-ai
版本 1.0.6
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 5
常见问题

Release 是什么?

AI 音乐创作助手 — 通过对话生成原创歌曲、纯音乐和 BGM。 当用户想要创作、生成、制作任何形式的音乐时使用此技能。 包括:生成带人声的歌曲、写歌词、作曲编曲、制作纯音乐/BGM/配乐,或将文字变成歌曲。 当用户提到具体音乐风格(如"来首民谣""做首说唱")时也应触发。 支持三种模式:灵感模式(一句话生成)、... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 332 次。

如何安装 Release?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install muse-ai」即可一键安装,无需额外配置。

Release 是免费的吗?

是的,Release 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Release 支持哪些平台?

Release 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Release?

由 Jiang Swei(@a64307410)开发并维护,当前版本 v1.0.6。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论