CC3PO Music Generation
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: cc3po-music-generation Version: 1.0.0 The skill bundle is a comprehensive guide for an AI agent to assist users with AI music generation across multiple platforms (Suno, Udio, MusicGen, etc.). The instructions in SKILL.md and the accompanying provider files (e.g., musicgen.md, replicate.md, stable-audio.md) contain legitimate documentation, prompting techniques, and standard Python code snippets for interacting with official and community APIs. There is no evidence of malicious intent, data exfiltration, or prompt injection attacks; all code and instructions are strictly aligned with the stated purpose of music production.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent or generated code may access a paid provider account and could incur generation charges.
The provider documentation shows using an API token for Replicate. This is expected for pay-per-use music generation, but users should notice that using the skill may require account credentials despite no required credential being declared in registry metadata.
pip install replicate export REPLICATE_API_TOKEN="r8_xxx"
Use provider tokens only when needed, keep them in a secret store or environment variable, avoid pasting secrets into chat, and monitor provider billing and token scopes.
Prompts, lyrics, billing details, or API credentials may be handled by a third-party service with different privacy, reliability, and terms.
The skill openly documents unofficial Suno API options. This is disclosed and relevant to the music-generation purpose, but it relies on third-party services rather than an official Suno API.
**Note:** No official public API. Third-party wrappers available: "https://api.sunoapi.org/v1/generate" ... "https://api.piapi.ai/api/v1/suno/generate"
Prefer official provider interfaces when available, and vet third-party wrapper terms, privacy practices, pricing, and credential handling before use.
Running these commands could execute third-party package code on the user's machine.
The local setup example pulls a repository and installs dependencies. This is user-directed and purpose-aligned for local audio generation, but it means running third-party code and unpinned packages.
git clone https://github.com/riffusion/riffusion.git cd riffusion pip install -r requirements.txt
Run local model setups in an isolated virtual environment or container, review the repository, and pin dependency versions for reproducibility.
It may be harder to confirm the exact publisher lineage of the packaged skill.
The embedded metadata owner and slug differ from the registry metadata shown for the evaluated skill. With no runnable code this is a minor provenance ambiguity rather than evidence of harmful behavior.
"ownerId": "kn73vp5rarc3b14rc7wjcw8f8580t5d1", "slug": "music-generation"
Verify the ClawHub listing and publisher identity if provenance is important before installing.