quick-music Security Report — Low Risk | ClawSafe

10 /100

quick-music

轻量快捷的音乐搜索工具。一条命令搜歌、拿播放链接，零依赖即开即用。

A simple music search tool that makes HTTP requests to two declared APIs and prints results — no malicious behavior, shell execution, credential access, or hidden functionality detected.

Skill Namequick-music

Duration31.6s

Enginepi

✓

Safe to install

The skill is safe to use. The sole IOC (IP 146.0.0.0) is a false positive: it is part of the Chrome browser version string in the User-Agent header, not a hard-coded C2 IP. No action required.

Findings 2 items

Severity	Finding	Location
Low	API endpoints not declared in SKILL.md The two external APIs (kw-api.cenguigui.cn and api.xcvts.cn) are used in code but not documented. This is a minor documentation gap rather than a security violation, as the URLs are consistent with the tool's music-search purpose and no data is exfiltrated. `const SEARCH_API = "https://kw-api.cenguigui.cn/"; const PLAY_API = "https://api.xcvts.cn/api/music/migu";` → Add the two API endpoints to SKILL.md under a '依赖服务' section to improve transparency.	`scripts/quick-music.js:9`
Info	Pre-scan IOC is a false positive The 'hard-coded IP 146.0.0.0' IOC flagged by pre-scan is actually the Chrome version number embedded in the User-Agent browser string (Chrome/146.0.0.0). This is not a network IP address and poses no security risk. `"user-agent": "Mozilla/5.0 ... Chrome/146.0.0.0 Safari/537.36"` → No action needed. The IOC detection rule should be refined to avoid matching version numbers.	`scripts/quick-music.js:24`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	scripts/quick-music.js — no fs module imported or used
Network	`NONE`	`READ`	✓ Aligned	scripts/quick-music.js:9-10 — fetch() calls to two external APIs; not declared i…
Shell	`NONE`	`NONE`	—	scripts/quick-music.js — no child_process or exec usage
Environment	`NONE`	`NONE`	—	No os.environ access in the script
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

1 High 3 findings

📡

High IP Address 硬编码 IP 地址

146.0.0.0

scripts/quick-music.js:24

🔗

Medium External URL 外部 URL

https://kw-api.cenguigui.cn/

scripts/quick-music.js:9

🔗

Medium External URL 外部 URL

https://api.xcvts.cn/api/music/migu

scripts/quick-music.js:10

File Tree

2 files · 5.1 KB · 159 lines

JavaScript 1f · 118L Markdown 1f · 41L

├─ ▾ 📁 scripts

│ └─ 📜 quick-music.js JavaScript 118L · 4.1 KB

└─ 📝 SKILL.md Markdown 41L · 1008 B

Security Positives

✓ Zero dependencies as advertised — no npm packages or external libraries imported

✓ No shell execution or command injection vectors

✓ No credential or environment variable access

✓ No file system operations

✓ No obfuscation, base64, or eval patterns

✓ Code behavior matches the SKILL.md description (music search + play URL retrieval)

✓ No sensitive file paths (~/.ssh, ~/.aws, .env) accessed

Scan Report

Findings 2 items

File Tree

Security Positives