ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

StepAce Experimental

v0.0.2

Generate AI music on your Android phone via the StepAce Experimental app. Use this skill whenever the user asks to generate, create, make, compose, or queue...

0· 34·0 current·0 all-time
by@ckadirt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the required capability (music generation on an Android app). Requested credential (STEPACE_TOKEN) is appropriate for pairing. However, the runtime endpoint used (a personal/worker.dev domain) does not match the declared homepage (cronicaia.com) or an obvious official StepAce API, which is incongruent with expectations.
!
Instruction Scope
SKILL.md instructs the agent to POST the pairing token and generation payload to an external bridge URL. Examples include 'source /home/deploy/.stepace-env' (an odd hard-coded local path) and a recommendation to prefer curl over normal HTTP clients—both of which are unexpected and could encourage running local commands or sourcing files that may contain secrets. The instructions do not require reading other unrelated system files, but the examples/reference paths and strong transport preferences are suspicious.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes disk-level risk because nothing will be written/executed by an installer. The primary runtime action is an outbound HTTP POST.
Credentials
Only a single env var (STEPACE_TOKEN) is required, which is proportional for a pairing token. However, because the skill sends that token to an unexpected third-party worker.dev endpoint (not the homepage domain), the token could be transmitted to an untrusted service — increasing exfiltration risk despite the small number of credentials requested.
Persistence & Privilege
Skill is not always-enabled and uses normal autonomous invocation defaults. It does not request persistent system-level privileges or modify other skills' configs. Nothing in the metadata requests elevated or permanent platform-wide privileges.
What to consider before installing
Before installing or setting STEPACE_TOKEN, verify the bridge endpoint and publisher: 1) Confirm that https://cronicaia.com (the declared homepage) documents this exact bridge URL or otherwise references the Cloudflare worker domain; if not, treat the worker endpoint as untrusted. 2) Ask the skill author or vendor for an official API endpoint and source code or a privacy/security statement explaining why a worker.dev URL is used. 3) Avoid pasting your real pairing token into public chats; consider creating a disposable/test token if the app supports it. 4) Do not run example commands (like sourcing /home/deploy/.stepace-env) that reference files you don't recognize. 5) If you proceed, monitor network and app behavior and revoke/regenerate the token from the phone app if anything looks unexpected. If the vendor cannot justify the third-party worker endpoint or provenance, do not provide sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97crkt57sc9nnzbjxs2sq67s5840tsq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvSTEPACE_TOKEN

Comments