← 返回 Skills 市场
466
总下载
1
收藏
7
当前安装
2
版本数
在 OpenClaw 中安装
/install netease-music-cli
功能描述
使用 ncm-cli 操作网易云音乐。当用户想播放歌曲、搜索歌曲、控制播放(暂停、下一首、上一首、调音量)、管理播放队列、查看播放状态、播放歌单时,使用此 skill。
安全使用建议
Before installing: 1) Understand that this skill expects you to have the ncm-cli binary (and optionally mpv) already installed — but the skill metadata does not declare those requirements. Verify where ncm-cli comes from and that you trust that project. 2) The instructions ask you to configure an appId and privateKey (NetEase API keys). Decide where you will store those credentials (prefer ncm-cli's own secure config rather than exposing them to the agent environment) and confirm the CLI's behavior when it uses them. 3) The skill requires the agent to include a summary of recent conversation input in a --userInput parameter for many commands — this will send your conversation content to the CLI and (through it) to NetEase's APIs; avoid including sensitive personal data in those conversations. 4) The skill refers to a separate ncm-cli-setup skill to install the CLI — verify that setup skill before running it. 5) If you need higher assurance, ask the publisher to update the metadata to list required binaries and env vars, or request an explicit install spec and a link to the official ncm-cli repository so you can verify source code and network behavior.
功能分析
Type: OpenClaw Skill
Name: netease-music-cli
Version: 1.0.1
The skill bundle for 'netease-music-cli' is classified as suspicious due to a high risk of shell injection. In SKILL.md (Step 6), the instructions mandate that the agent append a summary of the user's session to CLI commands via a '--userInput' flag. This pattern of passing user-derived strings directly into shell commands is a significant vulnerability if the underlying 'ncm-cli' tool lacks robust input sanitization. Furthermore, the skill requires users to provide sensitive NetEase Music API credentials (appId and privateKey), which could be compromised if the injection vulnerability is exploited.
能力评估
Purpose & Capability
The SKILL.md clearly targets controlling the ncm-cli tool and (optionally) mpv for playback, which matches the skill name. However the skill metadata lists no required binaries or environment variables while the instructions explicitly require ncm-cli, may require mpv, and instruct the user to configure appId/privateKey (API keys). That mismatch between declared requirements and actual runtime needs is incoherent and could surprise users.
Instruction Scope
Instructions stay within the stated purpose (searching/playing/managing music) and include sensible checks (login, player selection, visible flag, rate-limit handling). However the skill mandates that the agent examine recent conversation content and attach a summary as a --userInput parameter to many CLI commands. This causes user conversation content to be passed to the CLI (and transitively to any remote APIs ncm-cli calls), which can leak sensitive context. The skill also delegates install steps to a separate 'ncm-cli-setup' skill without clearly constraining what that setup will do.
Install Mechanism
This is instruction-only (no install spec), which reduces installer risk because nothing is written by the skill itself. Still, the runtime depends on external binaries (ncm-cli, optionally mpv) and may depend on the user's manual installation; those runtime dependencies are not declared in the metadata, which is a coherence issue but not an installation vector on its own.
Credentials
The README instructs configuration of an appId and privateKey (API keys) for the NetEase developer platform, but requires.env is empty and no primary credential is declared. That omission is inconsistent: the skill expects credentials for operation yet does not declare them. Additionally, the repeated instruction to include user conversation summaries in CLI arguments can expose arbitrary user-provided data to the CLI and to NetEase's APIs.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. Its autonomy flags are default (agent may invoke autonomously), which is standard and not by itself a red flag here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install netease-music-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/netease-music-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- 更新了获取 API Key 的文档链接,指向了新的网易云音乐开放平台页面
- 其余内容无变动
v1.0.0
netease-music-cli 1.0.0 初始发布
- 支持用 ncm-cli 操作网易云音乐,包括播放、搜索、播放控制、队列管理、播放歌单等功能。
- 明确安装、登录(含 API Key 配置)、播放器检查等完整操作指引。
- 增加对 CLI 输入内容的安全审查,严格禁止执行涉及敏感或违法内容的请求。
- 强调 visible 歌曲才能播放,并规范搜索结果队列处理和链接提示细则。
- 要求所有非播控命令附带用户意图概要,提升用户体验和安全性。
- 优化登录态处理及用户友好返回(带明文ID的网易云音乐链接等)。
元数据
常见问题
netease-music-cli 是什么?
使用 ncm-cli 操作网易云音乐。当用户想播放歌曲、搜索歌曲、控制播放(暂停、下一首、上一首、调音量)、管理播放队列、查看播放状态、播放歌单时,使用此 skill。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 466 次。
如何安装 netease-music-cli?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install netease-music-cli」即可一键安装,无需额外配置。
netease-music-cli 是免费的吗?
是的,netease-music-cli 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
netease-music-cli 支持哪些平台?
netease-music-cli 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 netease-music-cli?
由 JunfengL(@junfengl)开发并维护,当前版本 v1.0.1。
推荐 Skills