← 返回 Skills 市场
t-evan

Netease Music Pusher

作者 evan · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
843
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install netease-music-pusher
功能描述
自动验证码登录网易云音乐,获取并定时推送个性化每日推荐和公开榜单歌曲信息。
安全使用建议
This skill generally does what it says: it uses SMS captcha to log in to music.163.com, fetches daily recommendations and public charts, and saves login cookies so you don't re-login every time. Before installing: 1) Inspect the included scripts yourself (they're in scripts/) to confirm there are no hidden network endpoints or obfuscated code. 2) Note the skill will write cookies to /root/.openclaw/workspace/secrets/netease_cookies.json — treat that as sensitive and ensure only trusted processes can read that directory. 3) The SKILL.md had a base64-block scan hit — check the SKILL.md for any hidden/encoded content. 4) If you want to limit exposure, run the skill in a sandbox or container, or move the cookies path to a location you control, and confirm file permissions. 5) Because the publisher is unknown, prefer manual execution of the login steps and avoid granting broad autonomous privileges until you verify the code. If you want, I can scan the two script files for any network calls or suspicious constructs in more detail.
功能分析
Type: OpenClaw Skill Name: netease-music-pusher Version: 1.0.0 The skill stores Netease Music session cookies in an unencrypted JSON file (`netease_cookies.json`) within the OpenClaw workspace's `secrets` directory (`/root/.openclaw/workspace/secrets/netease_cookies.json`). While this is intended for legitimate functionality (login persistence for personalized recommendations), storing sensitive session data unencrypted locally is a high-risk behavior. If the OpenClaw environment or filesystem is compromised, these cookies could be stolen, potentially leading to account takeover. There is no evidence of intentional malicious activity like exfiltration or misuse by this skill, but it represents a vulnerability in sensitive data handling.
能力评估
Purpose & Capability
The name/description match the included Python clients: sending SMS captcha, logging in, fetching personalized daily recommendations and public toplists. Required dependency (cryptography) and use of music.163.com endpoints align with the stated purpose. No unrelated external services or credentials are requested.
Instruction Scope
SKILL.md instructs running scripts from /root/.openclaw/workspace and the code reads/writes /root/.openclaw/workspace/secrets/netease_cookies.json to persist login cookies. The manifest declared no required config paths, so the instructions reference a secrets path that wasn't declared — this is an inconsistency. Also the static scan flagged a 'base64-block' pattern in SKILL.md (possible prompt-injection payload); the visible SKILL.md is mostly benign, but the presence of a base64-like block in the doc should be inspected manually.
Install Mechanism
There is no install spec (instruction-only), and the only installation instruction is 'pip3 install cryptography' which is proportional to the included Python code that uses cryptography primitives. No arbitrary remote downloads or extract steps are present in the package.
Credentials
The skill requests no environment variables or external credentials. It does require the user to provide a phone number and SMS code at runtime (expected). However, it persists cookies to a secrets file under the workspace; these cookies are authentication tokens and should be treated as sensitive. The manifest did not declare this config path, so confirm you are comfortable with the skill storing tokens in the workspace/secrets location.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill persists login cookies to a workspace secrets file (expected for login flows) but does not request elevated platform privileges or modify other skills. Persisting cookies is normal for this feature, but it increases the attack surface if the workspace/secrets directory is accessible by other components.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install netease-music-pusher
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /netease-music-pusher 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial publish from local workspace
元数据
Slug netease-music-pusher
版本 1.0.0
许可证
累计安装 2
当前安装数 2
历史版本数 1
常见问题

Netease Music Pusher 是什么?

自动验证码登录网易云音乐,获取并定时推送个性化每日推荐和公开榜单歌曲信息。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 843 次。

如何安装 Netease Music Pusher?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install netease-music-pusher」即可一键安装,无需额外配置。

Netease Music Pusher 是免费的吗?

是的,Netease Music Pusher 完全免费(开源免费),可自由下载、安装和使用。

Netease Music Pusher 支持哪些平台?

Netease Music Pusher 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Netease Music Pusher?

由 evan(@t-evan)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论