← 返回 Skills 市场
229
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install xi-lrc-editor
功能描述
专业LRC歌词创作工具,支持歌曲音频波形可视化、歌词时间轴精准打点、LRC导入/导出、播放实时高亮、毫秒级时间戳编辑、自动本地存储防止数据丢失。前端使用jQuery+WaveSurfer.js开发,后端Python Flask,默认端口698,界面紧凑高效。使用场景:(1) 为歌曲制作LRC歌词文件 (2) 编辑...
安全使用建议
This tool appears to be a legitimate local LRC editor, but exercise caution before running it:
- Network exposure: The Flask app binds to 0.0.0.0 (all interfaces). If you run this on a machine connected to a network, others on that network could access the /upload and /shutdown endpoints. To limit exposure, edit web/app.py to use host='127.0.0.1' before launching.
- Unauthenticated endpoints: /upload accepts files and saves them temporarily using the original filename (no secure_filename sanitization) — this can allow filename tricks and unexpected writes in the temp directory. Consider hardening by using werkzeug.utils.secure_filename and validating the saved path.
- /shutdown is callable by any HTTP client that can reach the service; remove or protect it (e.g., require a token) if you plan to run on a networked host.
- Automatic pip installs: start_server.py will pip install packages into the active Python environment. Run it inside a dedicated virtual environment (venv) to avoid contaminating your system Python and to inspect the packages before installation.
- External JS CDN: the frontend loads jQuery and WaveSurfer from jsDelivr. If you need an offline or fully-audited install, vendor those scripts locally.
- Run safely: run the skill on an isolated machine or container, inspect/modify the code as above (bind to localhost, sanitize filenames, protect shutdown), and prefer using a venv. If you want, I can show exact code changes to harden the app (change host, add filename sanitization, or protect the shutdown endpoint).
功能分析
Type: OpenClaw Skill
Name: xi-lrc-editor
Version: 1.1.0
The skill is a functional LRC lyric editor, but it contains a path traversal vulnerability in `web/app.py` because it saves uploaded files using the unsanitized `file.filename` from the request. This could allow an attacker to overwrite or delete files outside the intended temporary directory. Additionally, `start_server.py` automatically executes `pip install` for several dependencies, which is a high-privilege action that introduces supply chain risks, although this behavior is documented in `SKILL.md`.
能力评估
Purpose & Capability
Name/description match the code: a Flask-based local web UI that generates waveform data and helps create/export LRC files. Required capabilities (pydub, numpy, Flask) are consistent with waveform generation and a backend.
Instruction Scope
SKILL.md instructs users to run the included start_server.py and says the service is reachable at http://localhost:698, but the Flask app binds to 0.0.0.0 (all interfaces), which can expose the service on the LAN. The app exposes an unauthenticated /upload endpoint that saves uploaded audio to the system temp dir (using the original filename without sanitization) and an unauthenticated /shutdown endpoint that terminates the process. The instructions do not mention these network exposure and authentication implications.
Install Mechanism
start_server.py automatically runs pip install for flask, pydub, and numpy at runtime. Installing dependencies automatically is convenient and consistent with the stated purpose, but it runs pip in the host Python environment (no virtualenv) and performs network installs from PyPI without prompting—this has expected but non-trivial operational risk.
Credentials
The skill requests no environment variables or credentials and does not require unrelated secrets. That is proportionate to its stated purpose.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. However, it binds the server to 0.0.0.0 (making it reachable from the network), and provides an unauthenticated /shutdown endpoint and unauthenticated /upload endpoint—these increase the blast radius if run on a machine reachable by others.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xi-lrc-editor - 安装完成后,直接呼叫该 Skill 的名称或使用
/xi-lrc-editor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
lrc 歌词创作工具 1.1.0 发布。全新专业级歌词编辑体验:
- 支持音频波形可视化与毫秒级精准打点,歌词制作更高效直观
- 新增LRC导入/导出与实时高亮同步,批量调整歌词时间点
- 自动本地存储编辑内容,防止数据丢失
- 完善快捷键支持、现代响应式UI和一键关闭服务功能
- 后端采用Flask,前端基于jQuery+WaveSurfer.js,界面紧凑高效
元数据
常见问题
Local LRC Editor 专业LRC歌词创作工具 是什么?
专业LRC歌词创作工具,支持歌曲音频波形可视化、歌词时间轴精准打点、LRC导入/导出、播放实时高亮、毫秒级时间戳编辑、自动本地存储防止数据丢失。前端使用jQuery+WaveSurfer.js开发,后端Python Flask,默认端口698,界面紧凑高效。使用场景:(1) 为歌曲制作LRC歌词文件 (2) 编辑... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 229 次。
如何安装 Local LRC Editor 专业LRC歌词创作工具?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xi-lrc-editor」即可一键安装,无需额外配置。
Local LRC Editor 专业LRC歌词创作工具 是免费的吗?
是的,Local LRC Editor 专业LRC歌词创作工具 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Local LRC Editor 专业LRC歌词创作工具 支持哪些平台?
Local LRC Editor 专业LRC歌词创作工具 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Local LRC Editor 专业LRC歌词创作工具?
由 小潴(@xiyunnet)开发并维护,当前版本 v1.1.0。
推荐 Skills