ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voice Note To Midi

v0.1.0

Convert voice notes, humming, and melodic audio recordings to quantized MIDI files using ML-based pitch detection and intelligent post-processing

0· 1.8k·1 current·1 all-time
by@danbennettuk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (voice-to-MIDI) matches the requested tools and actions: Python 3.11+, pip packages such as basic-pitch, librosa, soundfile, and optional music21; stem separation, pitch detection, analysis and quantization all map to the declared dependencies and files.
Instruction Scope
SKILL.md and setup.sh stay within the audio→MIDI domain, but the installer will create ~/melody-pipeline, create a virtualenv, and optionally append the install dir to your shell rc (persisting a PATH change). setup.sh also instructs you to download the hum2midi script if it isn't bundled — so review the script source before running it.
Install Mechanism
There is no packaged installer; setup.sh uses a venv and pip to install dependencies (moderate risk typical for Python packages). The script suggests downloading hum2midi from a raw GitHub URL if missing (GitHub raw is standard but you should verify the URL/contents). No downloads from obscure hosts are present in the provided files.
Credentials
The skill requests no credentials or sensitive environment variables. It uses a configurable INSTALL_DIR env var as an installation convenience (not a secret) — proportional to the task.
Persistence & Privilege
The installer offers to add the install directory to the user's PATH by appending to ~/.bashrc or ~/.zshrc, which is a reasonable user-level persistent change for a CLI tool but is a persistent modification you should be aware of before consenting.
Assessment
This package appears to do what it claims, but take these precautions before installing: (1) Inspect or obtain the hum2midi script from a trusted source (the setup will ask you to download it if not present). (2) Run setup.sh interactively and review it first — it will create ~/melody-pipeline, a Python venv, and may append a PATH update to your shell rc. (3) The installer uses pip to fetch packages (basic-pitch, librosa, etc.); installing packages runs code from PyPI — prefer running inside the created venv and review package reputations. (4) If you prefer less persistence, set INSTALL_DIR to a temporary location and decline the PATH change. (5) If you need higher assurance, manually clone the referenced repository URL and inspect hum2midi and any model-download behavior before running the installer.

Like a lobster shell, security has layers — review code before you run it.

latestvk971fqbw9af7k4ap1evw8yjkkd805r2c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments