Bumblebee + R2-DJ 安全扫描报告 — 可信 | ClawSafe

5 /100

Bumblebee + R2-DJ

AI music agent that communicates through Spotify lyric clips and curates contextual playlists based on time and mood

Legitimate Spotify music playback and lyric-curation skill with transparent, well-documented functionality and no malicious indicators.

技能名称Bumblebee + R2-DJ

分析耗时31.7s

引擎pi

✓

可以安装

Approve for deployment. The skill performs standard Spotify API integration for music playback control with no hidden or suspicious behavior.

安全发现 1 项

严重性	安全发现	位置
低危	Implicit filesystem read access The skill reads lyric-index.json, lyrics-db.json, tokens.json, and .env files, but SKILL.md does not explicitly declare filesystem:READ. These are documented in SETUP.md and are standard for a Node.js-based music skill. `fs.readFileSync(INDEX_FILE, 'utf8')` → Add filesystem:READ to declared capabilities in SKILL.md for completeness	`scripts/lyric-engine.js:54`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	scripts/lyric-engine.js:54 - loadIndex() reads lyric-index.json
网络访问	`NONE`	`READ`	✓ 一致	scripts/lyric-engine.js:21 - lrcSearch() calls lrclib.net; scripts/bumblebee.js:…
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found

4 项发现

🔗

中危外部 URL 外部 URL

https://swats.ai

README.md:77

🔗

中危外部 URL 外部 URL

https://developer.spotify.com/dashboard

SETUP.md:11

🔗

中危外部 URL 外部 URL

https://accounts.spotify.com/authorize?client_id=$

SETUP.md:56

🔗

中危外部 URL 外部 URL

https://accounts.spotify.com/api/token

SETUP.md:71

目录结构

8 文件 · 71.8 KB · 2169 行

JavaScript 3f · 1616L Markdown 5f · 553L

├─ ▾ 📁 references

│ └─ 📝 song-library.md Markdown 65L · 2.6 KB

├─ ▾ 📁 scripts

│ ├─ 📝 build-lyric-index.md Markdown 76L · 2.2 KB

│ ├─ 📜 bumblebee.js JavaScript 291L · 8.5 KB

│ ├─ 📜 lyric-engine.js JavaScript 586L · 18.3 KB

│ └─ 📜 r2-dj.js JavaScript 739L · 23.7 KB

├─ 📝 README.md Markdown 77L · 2.5 KB

├─ 📝 SETUP.md Markdown 147L · 5.1 KB

└─ 📝 SKILL.md Markdown 188L · 9.0 KB

安全亮点

✓ No shell execution or subprocess calls anywhere in the codebase

✓ All network requests go to legitimate, documented endpoints (api.spotify.com, accounts.spotify.com, lrclib.net)

✓ No credential harvesting or exfiltration - OAuth tokens are stored locally and used only for Spotify API

✓ No base64 encoding/decoding, eval(), or dynamic code execution

✓ No attempts to access sensitive system paths (~/.ssh, ~/.aws, /etc/passwd)

✓ No remote script execution (curl|bash, wget|sh)

✓ No hidden instructions in comments or HTML

✓ Well-structured Node.js code with clear, documented functionality

✓ All file operations are restricted to the skill's data directory and the configured Spotify project path