music-downloader Security Report — Trusted | ClawSafe

5 /100

music-downloader

多源音乐下载技能 - 从10个音乐平台搜索并下载MP3文件

This is a legitimate multi-source music downloader with no malicious behavior detected. All capabilities match the documented functionality.

Skill Namemusic-downloader

Duration26.3s

Enginepi

✓

Safe to install

No action required. The skill can be used safely.

Findings 1 items

Severity	Finding	Location
Low	SSL Verification Disabled Sensitive Access The code uses verify=False in requests, disabling SSL certificate verification. This is a common practice in scraping tools but could enable MITM attacks. `verify=False` → Consider using proper SSL verification or document why it's necessary for this use case.	`music_downloader.py`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	download() writes to /tmp/music/ (line 380)
Network	`READ`	`READ`	✓ Aligned	Makes HTTP requests to music platform APIs
Shell	`NONE`	`NONE`	—	No shell execution found
Environment	`NONE`	`NONE`	—	No environment variable access

1 High 30 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

music_downloader.py:20

🔗

Medium External URL 外部 URL

https://www.thttt.com/so.php?wd=

music_downloader.py:36

🔗

Medium External URL 外部 URL

https://www.thttt.com/style/js/play.php

music_downloader.py:64

🔗

Medium External URL 外部 URL

https://complexsearch.kugou.com/v2/search/song?keyword=

music_downloader.py:74

🔗

Medium External URL 外部 URL

https://www.kugou.com/yy/html/singer.html?hash=

music_downloader.py:92

🔗

Medium External URL 外部 URL

https://www.kuwo.cn/api/www/search/searchMusicBykeyWord?key=

music_downloader.py:102

🔗

Medium External URL 外部 URL

https://www.kuwo.cn

music_downloader.py:103

🔗

Medium External URL 外部 URL

https://www.kuwo.cn/api/v1/www/music/playInfo?mid=

music_downloader.py:120

🔗

Medium External URL 外部 URL

https://music.163.com/api/search/get?s=

music_downloader.py:129

🔗

Medium External URL 外部 URL

https://music.163.com

music_downloader.py:130

🔗

Medium External URL 外部 URL

https://music.163.com/song/media/outer/url?id=

music_downloader.py:150

🔗

Medium External URL 外部 URL

https://music.163.com/api/song/enhance/player/url?ids=[

music_downloader.py:157

🔗

Medium External URL 外部 URL

https://c.y.qq.com/soso/fcgi-bin/client_search_cp?p=1&n=15&w=

music_downloader.py:167

🔗

Medium External URL 外部 URL

https://y.qq.com/n/ryqq/songDetail/

music_downloader.py:188

🔗

Medium External URL 外部 URL

https://u.y.qq.com/cgi-bin/musicu.fcg?data=

music_downloader.py:195

🔗

Medium External URL 外部 URL

https://www.gequbao.com/s/

music_downloader.py:209

🔗

Medium External URL 外部 URL

https://www.gequbao.com/api/song/url?id=

music_downloader.py:222

🔗

Medium External URL 外部 URL

https://www.5nd.com/song/0-0-0-0-0-0-0-0-1-0-0-0.html?searchKey=

music_downloader.py:231

🔗

Medium External URL 外部 URL

https://www.5nd.com/song/

music_downloader.py:245

🔗

Medium External URL 外部 URL

https://www.1ting.com/search?q=

music_downloader.py:257

🔗

Medium External URL 外部 URL

https://www.1ting.com/song/

music_downloader.py:270

🔗

Medium External URL 外部 URL

https://www.9ku.com/soso/-k-

music_downloader.py:281

🔗

Medium External URL 外部 URL

https://www.9ku.com/play/

music_downloader.py:297

🔗

Medium External URL 外部 URL

https://www.musicenc.com/search/

music_downloader.py:312

🔗

Medium External URL 外部 URL

https://www.musicenc.com/song/

music_downloader.py:325

🔗

Medium External URL 外部 URL

https://www.kuwo.cn/

music_downloader.py:367

🔗

Medium External URL 外部 URL

https://www.kugou.com/

music_downloader.py:369

🔗

Medium External URL 外部 URL

https://music.163.com/

music_downloader.py:371

🔗

Medium External URL 外部 URL

https://y.qq.com/

music_downloader.py:373

🔗

Medium External URL 外部 URL

https://www.thttt.com/

music_downloader.py:375

File Tree

2 files · 20.6 KB · 523 lines

Python 1f · 463L Markdown 1f · 60L

├─ 🐍 music_downloader.py Python 463L · 18.9 KB

└─ 📝 SKILL.md Markdown 60L · 1.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Standard library, version not pinned but no known vulnerabilities

Security Positives

✓ No credential harvesting detected

✓ No reverse shell or code execution capabilities

✓ No data exfiltration to external IPs

✓ No base64 encoding or obfuscation

✓ No hidden functionality - all code aligns with documented behavior

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No supply chain risks - only uses standard requests library

✓ Proper file path handling with os.makedirs and safe filename sanitization

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives