← 返回 Skills 市场

Youtube Music

Name: Youtube Music
Author: oki3505f

作者 om yarewara · GitHub ↗ · v3.0.0

cross-platform ⚠ suspicious

472

总下载

当前安装

版本数

在 OpenClaw 中安装

/install youtube-music-ultra

功能描述

Control YouTube Music with natural language. Play, pause, skip, search, manage playlists, and queue tracks. Full playback control via browser automation.

安全使用建议

What to check before installing: - Confirm you have and trust the OpenClaw CLI/browser tool: scripts call openclaw browser commands and will try to start a browser. If you don't have OpenClaw installed, parts will fail. - The skill writes caches (e.g., /tmp/yt_music_v3_cache.json and /tmp/yt_music_v3.json). These files may contain mapping of queries to URLs/video IDs; review or clear them if you are concerned about local persistence. The skill does not exfiltrate data to external servers. - The package declares YOUTUBE_MUSIC_BROWSER_PROFILE but the v3 scripts default to the 'openclaw' profile and don't read that env var; if you expect the skill to use a different browser profile, either set the profile manually in scripts or confirm how your OpenClaw environment should expose it. - The Node scripts use child_process.execSync to call openclaw; this is expected for a browser-control skill but means commands run with the agent's privileges. Only install/run this skill in an environment you trust. - If you want lower footprint, inspect or run the bundled scripts manually first (they are contained in the skill folder) rather than enabling autonomous invocation. Overall: behavior is coherent with the stated purpose and no obvious data-exfiltration or unrelated credential access was found — treat it as functionally appropriate but verify OpenClaw tooling and the cache behavior before enabling.

功能分析

Type: OpenClaw Skill Name: youtube-music-ultra Version: 3.0.0 The skill contains multiple critical shell injection vulnerabilities in its Node.js scripts (`scripts/control.js`, `scripts/direct-play.js`, `scripts/ultra-play.js`). These scripts use `child_process.execSync` to execute `openclaw browser` commands, but user-controlled input (e.g., song queries, video IDs) is directly embedded into the shell command strings without proper shell escaping. While URL encoding is applied, it does not prevent shell metacharacters from being interpreted by `execSync`, potentially allowing arbitrary command execution on the host system. There is no evidence of intentional malicious behavior, classifying this as suspicious due to severe vulnerabilities.

能力评估

ℹ Purpose & Capability

Name/description (YouTube Music control via browser automation) lines up with the code and SKILL.md: scripts open music.youtube.com, perform searches, and call the OpenClaw browser CLI. Minor inconsistency: SKILL metadata and package.json declare a required env var YOUTUBE_MUSIC_BROWSER_PROFILE, but the main v3 scripts default to the literal profile 'openclaw' and do not actually read that env var, so the declared requirement isn't used by the shipped scripts.

✓ Instruction Scope

SKILL.md and scripts restrict actions to starting/checking the OpenClaw browser and opening YouTube Music search/watch URLs. The code does not attempt to read unrelated system files, request unrelated credentials, or POST data to external personal servers — it controls playback by opening search/watch URLs and relying on YouTube auto-play behavior. Error handling and caching behavior are local.

✓ Install Mechanism

No remote download/install spec is present (instruction- and script-based skill). There are local scripts and Node files bundled with the skill; nothing pulls arbitrary code from external nonstandard hosts at install time, which keeps install risk low.

ℹ Credentials

Only declared env var is YOUTUBE_MUSIC_BROWSER_PROFILE and required binary is node — both plausible for a browser-automation skill. However, the code rarely reads that env var (scripts use a hardcoded/default profile 'openclaw'), so the declared env requirement appears unnecessary or misdocumented. No other credentials (API keys, tokens, AWS creds, etc.) are requested.

✓ Persistence & Privilege

The skill does not request 'always: true' and will not be force-included. It creates small local cache files under /tmp (and scripts reference ~/.openclaw in docs) but does not attempt to change other skills' configs or system-wide auth. Local caches are persistent across runs but limited in scope.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install youtube-music-ultra
安装完成后，直接呼叫该 Skill 的名称或使用 /youtube-music-ultra 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v3.0.0

Major update with extensive documentation and feature overview. - Added comprehensive SKILL.md with detailed usage, commands, configuration, and advanced features. - Clarified playback, search, playlist, queue, and information command syntax. - Documented browser automation with OpenClaw, error handling, and dynamic selector use. - Listed advanced and planned features, limitations, and example interactions. - Included quick start info, testing instructions, and dependency notes.

元数据

Slug youtube-music-ultra

版本 3.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Youtube Music 是什么？

Control YouTube Music with natural language. Play, pause, skip, search, manage playlists, and queue tracks. Full playback control via browser automation. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 472 次。

如何安装 Youtube Music？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install youtube-music-ultra」即可一键安装，无需额外配置。

Youtube Music 是免费的吗？

是的，Youtube Music 完全免费（开源免费），可自由下载、安装和使用。

Youtube Music 支持哪些平台？

Youtube Music 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Youtube Music？

由 om yarewara（@oki3505f）开发并维护，当前版本 v3.0.0。