AI Stem Splitter
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears coherent and benign, but it uses a service API key and sends the chosen audio to an external hosted stem-splitting API.
This skill is reasonable for hosted audio stem separation. Before using it, verify the AI Stem Splitter service and any optional SDK package, provide the API key only when needed, and confirm that the specific audio file or URL may be sent to the provider.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide the API key, the agent can use that account for the requested splitting workflow.
The skill requires a bearer API key for the stem-splitting service. This is disclosed and purpose-aligned, but the key can authorize API calls and potentially consume account credits.
Check for `AISTEMSPLITTER_API_KEY` in the environment or ask the user for one. Never print or store the key.
Use a revocable or scoped key if available, keep it out of public chats or logs, and revoke it if you no longer need the integration.
Audio you choose to process may leave your device and be processed by the external service.
The main workflow sends the selected local audio file to a hosted provider. This is necessary for the advertised functionality, but it crosses a data boundary.
For local files, reserve an upload, upload bytes to the returned presigned URL, then submit the uploaded file.
Only submit files or URLs you are comfortable sending to the provider, confirm the exact source before upload, and ensure you have rights to process the audio.
If you choose the SDK path, additional third-party package code would be installed in your environment.
The reference documentation includes optional SDK installation commands from public package registries. This is consistent with the API integration, but package versions are not pinned in the docs.
npm install @aistemsplitter/sdk ... pip install aistemsplitter
Install SDKs only from official package pages, pin versions for production use, and review package provenance before running them.