Ai Songwriter
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: ai-songwriter-renxu Version: 3.0.2 The ai-songwriter-renxu skill bundle is a well-structured and functional set of instructions for an AI agent to generate lyrics, validate rhymes, and produce audio using the MiniMax API. It includes specialized sub-skills for classical poetry and thematic/corporate songwriting, utilizing Python scripts for local rhyme validation and the 'mmx' CLI for music generation. The delivery logic in SKILL.md and delivery/SKILL.md provides standard procedures for sending files via platforms like WeCom and Feishu, using official API endpoints (e.g., open.feishu.cn). No evidence of malicious intent, data exfiltration, or harmful prompt injection was found; the instructions are strictly aligned with the stated creative and delivery purposes.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may give the agent access to a MiniMax account key that can make API calls and potentially incur usage costs.
The skill expects a MiniMax API key and mmx CLI access for music generation. This is aligned with the stated purpose, but it is sensitive authority and the registry requirements list no required env vars or binaries.
required_environment_variables: - MINIMAX_CN_API_KEY required_commands: - mmx
Use a scoped or limited MiniMax key where possible, monitor usage, and ensure the skill metadata accurately declares the required credential and command.
The generated song file may be uploaded or sent to the current chat/channel automatically after the lyrics have been confirmed and the audio is generated.
After audio generation, the skill instructs the agent to use the message/file-delivery tool to send the generated file. This is expected for a song delivery skill, but it is an outward action users should understand.
生成完成即发送:音频文件生成后,立即发送给用户,不等用户催
Before confirming generation, verify the destination channel and ask for an additional send confirmation if the channel is shared or public.
Execution depends on whichever mmx binary is available in the user's environment.
The workflow depends on an external mmx command, but the supplied package is instruction-only and does not include a pinned install specification for that dependency.
required_commands: - mmx
Install mmx from a trusted official source, keep it updated, and consider adding explicit installation/version metadata.