musicful music generator
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says: it uses a Musicful API key to send music or lyric prompts to Musicful and poll for generated audio links.
Before installing, confirm you are comfortable providing a Musicful API key, keep the .env file private, verify MUSICFUL_BASE_URL points to the intended provider, avoid sensitive content in prompts or lyrics, and consider pinning dependencies if you manage a stricter environment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the command can run local Python and initiate Musicful generation requests, which may consume API quota or credits.
The skill invokes bundled Python scripts with user-supplied music prompts. This is the expected execution path and uses argument arrays rather than shell commands, but users should understand that invoking the skill runs local code and can submit API requests.
"exec": { "type": "process", "command": "python3", "args": ["~/.openclaw/workspace/skills/musicful-music-generator/scripts/dispatch_music_generator.py", "--prompt", "${prompt}"] }Use the skill only for intended music-generation requests and monitor Musicful account usage if the key is billable.
The skill can act under the configured Musicful API key and may use that account's quota or paid access.
The code sends the configured MUSICFUL_API_KEY as an API credential on Musicful requests. This is necessary for the stated service integration and no logging or unrelated transmission is shown.
return {"x-api-key": key, "Content-Type": "application/json"}Use a Musicful key you can revoke, keep the .env file private, and verify the configured base URL before use.
Any personal or sensitive details included in prompts or lyrics may be sent to Musicful for processing.
The skill sends user prompts, and in other paths provided or generated lyrics, to the external Musicful API. This is disclosed and central to the skill's purpose.
requests.post(url, json={"prompt": prompt}, headers=_headers(api_key), timeout=60)Avoid putting secrets or sensitive personal information in music prompts or lyrics unless you are comfortable sharing them with the provider.
Dependency behavior can vary depending on what versions are installed in the user's environment.
The dependency versions are lower-bounded rather than pinned, so environments that install them may resolve to different future package versions. There is no automatic install script shown.
requests>=2.31.0 python-dotenv>=1.0.1
Install dependencies from trusted sources and pin exact versions in controlled or high-assurance environments.