ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mmMusicMaker

v1.0.0

Create music with MiniMax music models (e.g., music-2.5). Use when generating songs or instrumental tracks from lyrics and style prompts, or when integrating...

2· 537·3 current·3 all-time
byHaolan He@blue-coconut
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, code files, and reference doc all align: this is a MiniMax music-generation client that calls https://api.minimaxi.com/v1/music_generation. However, the registry metadata does not declare the MINIMAX_MUSIC_API_KEY environment variable or any primary credential even though both SKILL.md and the scripts require it.
Instruction Scope
Runtime instructions are limited to building prompts, calling the MiniMax API, decoding hex or downloading a returned URL, and saving audio to disk. The skill does not read unrelated local files, other environment variables, or system configs beyond the single API key.
Install Mechanism
No install spec (instruction-only with bundled scripts). This is low risk; the skill does network calls at runtime but does not download arbitrary installer artifacts during installation.
!
Credentials
The code and SKILL.md require MINIMAX_MUSIC_API_KEY, but the registry metadata lists no required environment variables or primary credential. That omission is an incoherence (a real secret is needed but not declared). No other unrelated credentials are requested.
Persistence & Privilege
No special persistence (always=false). The skill does not request to modify other skills or system-wide settings.
What to consider before installing
This skill is plausibly what it says: a MiniMax music-generation client. Before installing, confirm you are willing to provide a MiniMax API key (MINIMAX_MUSIC_API_KEY) and that the domain api.minimaxi.com is the correct official endpoint for your account. The package metadata should be updated to declare the required env var; treat the omission as sloppy packaging rather than proof of malice. Also: (1) review the API key permissions and rotate the key if you later remove the skill, (2) ensure the runtime environment has the Python requests library, (3) sandbox execution if you want to be extra cautious (the script will POST your lyrics/prompts and will download any URL the API returns), and (4) prefer obtaining the skill from a known/trusted source or ask the publisher for corrected metadata if you need higher assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk976r6cz5vayypmqe3ez12a39d81zcps

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments