skills/joeseesun/qiaomu-music-player-ncm/qiaomu-music-player-ncm/Socket

qiaomu-music-player-ncm

Warn

Audited by Socket on Mar 23, 2026

1 alert found:

Security

SecuritySKILL.md

MEDIUM

SecurityMEDIUM

SKILL.md

该技能的总体用途与音乐播放/推荐基本一致，但核心依赖 `@music163/ncm-cli` 的来源和发布链未被充分验证，同时它接收网易云开发者凭证并将其转交给该外部 CLI；再叠加 cron 持久化与较高自主操作范围，使其超出普通“音乐播放器”技能的最小信任面。结论为 SUSPICIOUS：主要问题是不可验证依赖 + 凭证转发，而非已证实恶意外传。

Confidence: 84%Severity: 82%

Audit Metadata

Analyzed At

Mar 23, 2026, 01:34 PM

Package URL

pkg:socket/skills-sh/joeseesun%2Fqiaomu-music-player-ncm%2Fqiaomu-music-player-ncm%2F@a776100cab9073ea00fb2c1913cf610e130d85a8