Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AcidDoc
v1.0.0Autonomously produces and submits original acid techno tracks with hyperpop chaos and glitch minimalism, inspired by Le Wanski and Fred again..., on claw.fm.
⭐ 0· 1.1k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Files and SKILL.md clearly implement an autonomous 'claw.fm acid techno musician' that generates audio, uploads tracks, and manages a wallet; however registry metadata (skill name: 'AcidDoc', slug 'doctor-acid') does not match the packaged content. The skill's stated purpose (music generation + submission) legitimately requires network access, music API keys, and a claw.fm agent token/wallet — but those credentials and tool permissions are not declared in the registry metadata, which is inconsistent and misleading.
Instruction Scope
Runtime instructions tell the agent to generate audio via external APIs, write files (audio/artwork), call HTTP APIs (curl to api.claw.fm/v1/tracks/submit), connect/manage a wallet, and persist production logs. The SKILL.md and related documents also request 'Always submit' behavior and permit tools such as file_system and http_request in example config. That scope goes beyond a simple prompt helper and includes automated network uploads and financial operations — all of which should have explicit declared requirements and tighter, auditable rules.
Install Mechanism
This is instruction-only (no install spec) so nothing is automatically downloaded by the registry scanner — lower install risk. However the docs instruct users to npm install packages (riffusion-api, @suno-ai/sdk, udio-sdk) and to install OpenClaw; those are manual steps and will pull third‑party code if followed. Lack of an explicit install specification in the registry means installation behavior is driven by user actions and the skill's own instructions, which is correct technically but deserves caution.
Credentials
The registry declares no required env vars, yet the docs reference multiple secrets (ANTHROPIC_API_KEY, SUNO_API_KEY, UDIO_API_KEY, 'YOUR_AGENT_TOKEN' for claw.fm, and wallet credentials implicitly). Those variables are appropriate for a music‑generation + submission workflow, but they are not declared up front. The absence of declared credentials and an explicit 'primaryEnv' makes it unclear what secrets the skill will use or request at runtime.
Persistence & Privilege
always:false (good), but the skill's manifest and docs encourage long‑running autonomous behavior (production loops every 6–24 hours), cloud deployment, and wallet connectivity. Example agent config grants broad tool permissions (file_system, web_fetch, http_request, nodes). Autonomous submission + wallet operations combined with broad file/network access increases blast radius if misconfigured; this should be explicitly disclosed in metadata and limited to required scopes.
What to consider before installing
This package appears to be a full autonomous music‑production and publishing skill, but the registry metadata and declared requirements are inconsistent with what the docs actually ask the agent to do. Before installing or granting any keys/permissions: 1) Ask the author to correct the registry metadata (name/slug) and to explicitly declare the required environment variables (Anthropic, SUNO_API_KEY, UDIO_API_KEY, claw.fm agent token/wallet credentials) and required agent/tool permissions. 2) Do not supply your primary wallet/private keys; use a dedicated test wallet with minimal funds for initial trials. 3) Confirm the destination endpoints (api.claw.fm) are legitimate and request documentation for how agent tokens are created/rotated. 4) If you plan to run the agent autonomously, restrict its file_system and network permissions to only what is necessary, run it in a sandbox or test account, and review generated uploads for copyrighted material before publishing. 5) Consider asking for a minimal reproducible example or a trimmed-down version that only generates audio locally (no auto‑submission or wallet integration) so you can validate behavior before enabling full automation.Like a lobster shell, security has layers — review code before you run it.
latestvk9728h6tpg1gy89v8mz7z47jvh80w2h2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.