tianpuyue_music Security Report — Trusted | ClawSafe

0 /100

tianpuyue_music

使用天谱乐 AI 生成纯音乐、歌曲（含人声演唱）或歌词，将结果保存到本地

Legitimate music generation skill that properly declares all capabilities, uses standard Python libraries for API communication, and stores outputs only in designated directories.

Skill Nametianpuyue_music

Duration31.3s

Enginepi

✓

Safe to install

No action required. The skill follows security best practices with clear documentation, pinned Python version (>=3.14), and proper credential handling.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares OUTPUT_ROOT env var; scripts write to outputs/tianpuyue/{music…
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares TIANPUYUE_API_KEY; API calls only to https://api.tianpuyue.cn
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md metadata.requires.bins declares 'uv'; uv run is documented in SKILL.md …
Environment	`READ`	`READ`	✓ Aligned	scripts/common.py reads TIANPUYUE_API_KEY and OUTPUT_ROOT; declared in SKILL.md …

2 findings

🔗

Medium External URL 外部 URL

https://www.tempolor.com/create/song

references/voice_id_map.md:3

🔗

Medium External URL 外部 URL

https://api.tianpuyue.cn

scripts/common.py:45

File Tree

10 files · 28.6 KB · 835 lines

Python 7f · 690L Markdown 2f · 141L YAML 1f · 4L

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 4L · 366 B

├─ ▾ 📁 references

│ └─ 📝 voice_id_map.md Markdown 35L · 2.8 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 common.py Python 322L · 10.4 KB

│ ├─ 🐍 generate_lyrics.py Python 89L · 2.6 KB

│ ├─ 🐍 generate_music.py Python 91L · 2.7 KB

│ ├─ 🐍 generate_song.py Python 98L · 3.1 KB

│ ├─ 🐍 query_lyrics_status.py Python 30L · 735 B

│ ├─ 🐍 query_music_status.py Python 30L · 742 B

│ └─ 🐍 query_song_status.py Python 30L · 731 B

└─ 📝 SKILL.md Markdown 106L · 4.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`Python Standard Library`	`>=3.14`	stdlib	No	urllib, json, pathlib, argparse, logging - all standard library

Security Positives

✓ No obfuscation techniques detected - pure readable Python code

✓ No credential exfiltration - API key used only for Authorization header to legitimate endpoint

✓ No arbitrary code execution - uses uv run with documented scripts only

✓ No sensitive path access - outputs restricted to designated OUTPUT_ROOT subdirectory

✓ No base64 or encoded execution patterns

✓ Python version pinned to >=3.14 via PEP 723 inline script directive

✓ All functionality documented in SKILL.md with exact command examples

✓ Uses standard library (urllib) - no external dependencies with vulnerabilities

✓ Logging only to local files in OUTPUT_ROOT/outputs/logs - no external telemetry

Scan Report

File Tree

Dependencies 1 items

Security Positives