CC3PO Music Generation
PassAudited by ClawScan on May 9, 2026.
Overview
This appears to be a benign music-generation guide, with normal caveats around optional API tokens, third-party wrappers, and local package installs.
Safe to consider as an instruction-only music-generation guide. Before using provider APIs or local setup examples, verify the service, protect API tokens, review costs and licensing, and run any local package installs in an isolated environment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent or generated code may access a paid provider account and could incur generation charges.
The provider documentation shows using an API token for Replicate. This is expected for pay-per-use music generation, but users should notice that using the skill may require account credentials despite no required credential being declared in registry metadata.
pip install replicate export REPLICATE_API_TOKEN="r8_xxx"
Use provider tokens only when needed, keep them in a secret store or environment variable, avoid pasting secrets into chat, and monitor provider billing and token scopes.
Prompts, lyrics, billing details, or API credentials may be handled by a third-party service with different privacy, reliability, and terms.
The skill openly documents unofficial Suno API options. This is disclosed and relevant to the music-generation purpose, but it relies on third-party services rather than an official Suno API.
**Note:** No official public API. Third-party wrappers available: "https://api.sunoapi.org/v1/generate" ... "https://api.piapi.ai/api/v1/suno/generate"
Prefer official provider interfaces when available, and vet third-party wrapper terms, privacy practices, pricing, and credential handling before use.
Running these commands could execute third-party package code on the user's machine.
The local setup example pulls a repository and installs dependencies. This is user-directed and purpose-aligned for local audio generation, but it means running third-party code and unpinned packages.
git clone https://github.com/riffusion/riffusion.git cd riffusion pip install -r requirements.txt
Run local model setups in an isolated virtual environment or container, review the repository, and pin dependency versions for reproducibility.
It may be harder to confirm the exact publisher lineage of the packaged skill.
The embedded metadata owner and slug differ from the registry metadata shown for the evaluated skill. With no runnable code this is a minor provenance ambiguity rather than evidence of harmful behavior.
"ownerId": "kn73vp5rarc3b14rc7wjcw8f8580t5d1", "slug": "music-generation"
Verify the ClawHub listing and publisher identity if provenance is important before installing.