🎵 Music Research (Crate) — AI音乐研究
v0.2.3聚合92+工具、覆盖17大音源,一键搜索MusicBrainz、Bandcamp、Discogs、Genius、Last.fm、Wikipedia等平台,完成影响溯源、曲目对比与元数据补全。
0· 402·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's purpose (music research) matches its instructions, but it asks the agent to run an unpinned npm package via npx and hands your Anthropic API key to that subprocess, which is a supply-chain/privacy risk that users should understand before installing.
评估建议
This skill is coherent with its stated purpose, but it will cause your agent to run `npx crate-cli` (unversioned) and hand that process your ANTHROPIC_API_KEY. That means: (1) arbitrary code from the npm registry will be executed on your environment at runtime, (2) the crate-cli process can send queries and any user data to external services (including Anthropic) and persist data locally in SQLite. Before installing: verify the crate-cli package source and version (prefer a pinned version), insp...详细分析 ▾
✓ 用途与能力
The name/description (music research across many sources) aligns with the declared requirements: it needs npx to run the crate-cli and an ANTHROPIC_API_KEY which plausibly powers LLM reasoning inside the CLI. Optional API keys for individual music services are listed as optional in the SKILL.md and are coherent with the described capabilities.
ℹ 指令范围
The SKILL.md instructs the agent to add an MCP server entry that launches `npx -y crate-cli --mcp-server` and exposes many tools over stdio; it also documents local SQLite caches (collection, playlist, influence cache). The instructions do not ask the agent to read unrelated system files or secrets, but they do instruct running an external CLI that will access networks and persist local caches and configuration. That means queries and data may be transmitted to external services and persisted locally.
⚠ 安装机制
There is no install spec, but runtime usage relies on `npx` to download and execute `crate-cli` from the npm registry with no pinned version in the provided example. This effectively executes remote code on the agent host at runtime (supply-chain risk). The skill will therefore cause dynamic code to be fetched and run, which increases risk compared to instruction-only behavior that uses only built-in binaries.
ℹ 凭证需求
The one required environment variable (ANTHROPIC_API_KEY) is plausible if the CLI uses Anthropic's models for reasoning. However, the SKILL.md instructs passing that key into the spawned process; that gives the remote-executed CLI full access to the key and any requests it makes to Anthropic. Many additional optional API keys are listed for other services — these are optional but sensitive if provided.
ℹ 持久化与权限
always:false (good), but the instructions ask the user/agent to add a persistent MCP server entry and the CLI creates local SQLite caches (influence graph, collection, playlists). This results in long-lived configuration and locally stored data; not inherently malicious, but a persistence/privacy consideration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.32026/2/25
Initial release — 92 tools across 17 sources. Influence tracing, track verification, playlist building, and publishing.
● 可疑
安装命令
点击复制官方npx clawhub@latest install crate-music-research
镜像加速npx clawhub@latest install crate-music-research --registry https://cn.longxiaskill.com