技能详情(站内镜像,无评论)
作者:Anonymous @adminlove520
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.1.1
统计:⭐ 0 · 156 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:adminlove520/lyric-sense
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's front-end description (lyrics search/display) is plausible, but the bundled LrcApi server code exposes powerful file, DB and network operations and the SKILL.md instructions omit important security details (notably authentication), creating a disproportionate and risky footprint if you run the local server.
目的
The skill advertises lyric search/display and an optional local API. The repository includes a full LrcApi service with file management (/file/*), file download, file upload, arbitrary SQL execution endpoints (/db custom_sql), music metadata modification, and other admin-like APIs. While those features can be justified for a local music library manager, they are broader than the simple 'lyric search/display' described in SKILL.md and are not c…
说明范围
SKILL.md describes using a public API or running a local LrcApi executable / Docker image but does not warn that the server’s default configuration may run without authentication. The bundled server code supports reading/writing arbitrary files (list, upload, download), executing custom SQL, and modifying files on disk. The frontend uses a third-party CORS proxy (https://corsproxy.io/?) and the server code can call external services (api.lrc.c…
安装机制
There is no OpenClaw install spec. SKILL.md suggests using an existing public API, running a Windows executable (referenced but not included) or pulling a Docker image (hisatri/lrcapi). Docker/pull of a public image is normal, but you should verify the image (hisatri/lrcapi) before use. The repo includes build/release scripts and GitHub Actions; nothing here indicates a direct download from an untrusted shortener or personal IP, but following …
证书
The skill declares no required env vars, but the included LrcApi reads API_AUTH (authentication), and its translation endpoint expects AI base_url/api_key/model (OpenAI). SKILL.md does not declare these or explain when they are needed. Critically, LrcApi is designed to skip authentication if API_AUTH / --auth are not provided — meaning sensitive endpoints become accessible by default unless the operator sets explicit auth, which is disproporti…
持久
The skill is not force-installed (always: false) nor requesting platform-level privileges, but running the local LrcApi creates a persistent service that can read/write files, accept network requests, and store data (filesystem and sqlite). That persistent server presence combined with optional/no-auth default increases the risk if exposed to untrusted networks or left running without configuration.
scripts/LrcApi/mod/music_tag/asf.py:28
Dynamic code execution detected.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Lyric Sense」。简介:通过歌手和歌名搜索歌词,显示歌词并支持网易云音乐播放歌词同步,提供在线和本地API部署方案。。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/adminlove520/lyric-sense/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。