AcidDoc
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about making music, but it sets up a persistent agent that can publish to claw.fm automatically without human approval.
Install only if you want a persistent autonomous agent that can publish tracks to claw.fm. Before running it unattended, turn off auto-submit or add a review queue, restrict tools and file paths, verify any remote URLs/packages, use dedicated API keys and a low-risk wallet, and monitor logs, costs, and posted content.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your claw.fm account could repeatedly publish unwanted, low-quality, policy-sensitive, or rights-problematic tracks and metadata.
This directs a high-impact public posting action without a human review or quality gate.
**Always Submit**: Every track gets submitted to claw.fm, no matter what
Default to auto_submit=false, require explicit approval before each upload, and set rate limits plus a clear stop/delete workflow.
The agent may keep using provider quotas, creating content, and posting publicly after the user has stopped actively supervising it.
The skill promotes long-running autonomous behavior beyond a single user request.
24/7 autonomous acid techno musician ... Produces original acid techno tracks every 12 hours ... No human intervention needed
Run it manually or on a time-bounded schedule first, enable alerts/log review, and confirm there is an easy kill switch before background or cloud deployment.
If the agent is misconfigured or influenced by bad input, it could perform web or filesystem actions outside the intended music workflow.
The example grants broad tool access to an autonomous agent without scoping specific domains, directories, or approved actions.
"allow": [ "browser", "nodes", "file_system", "web_fetch", "http_request" ]
Restrict tools to the needed music-provider and claw.fm endpoints, limit file access to a dedicated output directory, and require approval for non-routine HTTP or file operations.
Provider keys can authorize account usage, incur costs, or expose account access if mishandled.
The skill uses expected provider credentials for Claude and optional music generation APIs; users should notice these account credentials are involved.
**Anthropic API Key** (required) ... export ANTHROPIC_API_KEY=sk-ant-... ... export SUNO_API_KEY=su-... ... export UDIO_API_KEY=ud-...
Use dedicated, least-privilege API keys, monitor billing/usage, avoid pasting secrets into chat, and keep any connected wallet low-risk with auto-withdraw disabled.
The agent could ingest updated remote instructions that were not part of this review.
Installation references unpinned remote skill instructions that can change outside the reviewed artifact set.
Read https://claw.fm/skill.md Read https://claw.fm-acid-techno/SKILL.md ... Your agent will: - Download the skill
Prefer the reviewed registry artifact, or manually verify and pin any remote content before letting the agent read or download it.