mmMusicMaker
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: mm-music-maker Version: 1.0.0 The skill's core functionality is benign, aiming to generate music via the MiniMax API. However, the `scripts/generate_music.py` script, through its `--output` argument, allows a user to specify an arbitrary file path for saving the generated audio. This path is directly passed to `scripts/utils_audio.py`'s `save_bytes` and `download_url` functions, which use `pathlib.Path` to create and write to the specified file. While `pathlib` offers some path normalization, it does not prevent writing to sensitive system locations (e.g., `/etc/cron.d/`, `~/.ssh/`) if the agent has the necessary permissions. This constitutes an arbitrary file write vulnerability due to a lack of input sanitization, which could be exploited for privilege escalation or persistence, classifying the skill as suspicious rather than malicious due to the absence of clear intent for self-exploitation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your lyrics, style prompts, and related generation settings are sent to MiniMax to create the audio.
The script sends the generated payload, including user lyrics and prompts, to the MiniMax music API. This is central to the skill's purpose, but users should know their input leaves the local environment and may consume provider quota.
API_URL = "https://api.minimaxi.com/v1/music_generation" ... resp = requests.post(API_URL, json=payload, headers=headers, timeout=120)
Use the skill only for content you are comfortable sending to MiniMax, and review provider terms, privacy, and quota/cost implications.
Anyone using this skill with your environment can make MiniMax API calls under that key's permissions and quota.
The script requires a MiniMax API key and sends it as a bearer token to the fixed MiniMax endpoint. This is expected for the integration, but it is still account-backed authority.
api_key = os.getenv("MINIMAX_MUSIC_API_KEY") ... "Authorization": f"Bearer {api_key}"Use a dedicated or limited MiniMax key if available, avoid sharing the key in prompts or files, and revoke or rotate it if you no longer trust the environment.
You have less external context for who maintains the skill or where to verify updates.
The registry metadata does not provide an upstream source or homepage for provenance verification. The included code is simple and purpose-aligned, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none
Review the included scripts before use and install dependencies only from trusted package sources.