Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
mmMusicExpert
v1.0.0Create music with MiniMax music models (music-2.5+, music-2.5). Use when generating songs, instrumental tracks, or chanting from lyrics and style prompts via...
⭐ 1· 281·1 current·1 all-time
byHaolan He@blue-coconut
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the code and API references (MiniMax music generation). However the registry metadata declares no required environment variables or primary credential, while both SKILL.md and the included scripts explicitly require MINIMAX_MUSIC_API_KEY and make network calls to api.minimaxi.com. That mismatch (metadata says 'none' but the skill needs an API key) is an incoherence.
Instruction Scope
SKILL.md defines a tightly-scoped 4-step interactive workflow that only collects musical preferences and constructs prompts/lyrics for the MiniMax API. It instructs use of MINIMAX_MUSIC_API_KEY (necessary for the API). The workflow does not direct the agent to read unrelated system files or exfiltrate data to unexpected endpoints—network activity is limited to the documented MiniMax API. The explicit 'MUST FOLLOW' workflow is restrictive but consistent with the skill's purpose.
Install Mechanism
There is no install spec (instruction-only), but the bundle includes Python scripts. That means nothing will be auto-installed yet code expects runtime dependencies (e.g., Python 'requests') and will perform network I/O. Lack of an install spec or declared dependencies is a packaging inconsistency and may cause runtime surprises, but there's no evidence of downloads from unknown hosts or archive extraction.
Credentials
Registry metadata claims no required env vars, but SKILL.md and scripts expect MINIMAX_MUSIC_API_KEY (Bearer token) and will send user prompts/lyrics to the MiniMax API. Requesting a single API key is proportionate to the stated purpose, but the omission from declared requirements is a red flag: it hides a secret the skill needs. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and allows autonomous model invocation (default), which is normal. The skill does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill's code and documentation appear to match the stated purpose (calling the MiniMax music API), but the registry metadata incorrectly lists no required environment variables while both SKILL.md and the Python scripts require MINIMAX_MUSIC_API_KEY. Before installing or granting access:
- Treat MINIMAX_MUSIC_API_KEY as a secret. Only provide it if you trust the MiniMax service and the skill's author. The skill will send prompts/lyrics (user-provided content) to api.minimaxi.com.
- Ask the publisher to correct the metadata to explicitly declare MINIMAX_MUSIC_API_KEY and any runtime dependencies.
- Review the included scripts yourself (or have someone audit them). The code uses the Python 'requests' library and performs network requests to the documented MiniMax endpoint—ensure you are comfortable with that data flow.
- Run the skill in a constrained environment if you want to test it (limited network access, no other secrets present). Confirm there are no other unexpected endpoints or obfuscated code paths.
- If you need to protect sensitive lyrics/content, consider whether sending them to a third-party API is acceptable.
If you cannot verify the publisher or confirm the API's trustworthiness, consider not installing or only using a throwaway API key in a sandbox.Like a lobster shell, security has layers — review code before you run it.
latestvk972gevg2ate0jatjarv44nzx182gaky
License
MIT-0
Free to use, modify, and redistribute. No attribution required.