ClawHub
Back to skill
v0.1.0

Voice Note To Midi

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:55 AM.

Analysis

The skill appears aligned with converting audio to MIDI, but its setup depends on external packages and a helper script that users should review before installing.

GuidanceThis looks like a benign, purpose-aligned audio-to-MIDI tool. Before installing, review the external hum2midi helper script and Python dependencies, and only opt into the PATH modification if you are comfortable letting that install directory affect future terminal commands.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
setup.sh
pip install basic-pitch librosa soundfile mido ... echo "  wget https://raw.githubusercontent.com/basic-pitch/basic-pitch/main/hum2midi -O $INSTALL_DIR/hum2midi"

The installer uses unpinned external Python dependencies and, if the main hum2midi script is absent, instructs the user to manually download a remote script. This is expected for an ML audio tool, but it is a provenance and review point.

User impactInstalling may run code from third-party packages or a separately downloaded helper script that was not fully represented in the provided artifact set.
RecommendationReview the helper script source and consider pinning dependency versions before installation, especially if using this on sensitive audio or a production workstation.
Rogue Agents
SeverityInfoConfidenceHighStatusNote
setup.sh
echo "Add $INSTALL_DIR to your PATH? [y/N]" ... echo "export PATH=\"$INSTALL_DIR:\$PATH\"" >> "$SHELL_RC"

The setup script can persistently modify the user's shell startup file to add the install directory to PATH. It is prompted and default-off, so this appears user-controlled rather than hidden.

User impactIf accepted, future terminal sessions will prefer commands from the installed melody-pipeline directory when names overlap.
RecommendationOnly accept the PATH change if you trust the installed files, and remove the added line from .bashrc or .zshrc if you no longer use the tool.