Back to skill
Skillv1.0.2
ClawScan security
acestep · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 11:54 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says: a wrapper around an ACE‑Step music API using a provided bash script; nothing requested or installed is disproportionate to that purpose.
- Guidance
- This skill is a wrapper around an ACE‑Step API and uses the provided bash script to send prompts/lyrics and download audio. Before installing or running it: 1) Confirm the api_url in scripts/config.json (default is localhost; example points to api.acemusic.ai). 2) Treat any API key you put into config.json as a secret stored on disk (the script stores/reads it from that file). 3) Expect that full user-provided lyrics and prompts will be transmitted to the configured API and that audio and JSON results will be saved under project_root/acestep_output. 4) Ensure you trust the ACE‑Step API host you configure (or run a local instance) if you need privacy or control over your data. 5) The script requires curl and jq; inspect scripts/acestep.sh before running in your environment. If you want stronger secrecy for keys, consider managing the API key outside the repo and not committing config.json.
Review Dimensions
- Purpose & Capability
- okName/description match the actual files: SKILL.md, an API reference, a config example, and a single bash CLI (scripts/acestep.sh) that talks to ACE‑Step endpoints. There are no unrelated credentials, binaries, or platform-level access requested.
- Instruction Scope
- noteRuntime instructions require using the included script (not direct API calls). The skill instructs the agent to pass complete lyrics/prompts to the API and to save outputs to project_root/acestep_output. This means potentially sensitive user-provided lyrics/prompts and generated audio will be transmitted to the configured API and written to disk — this is coherent with the stated purpose but is a privacy/data‑exfiltration consideration the user should be aware of.
- Install Mechanism
- okNo install spec; this is instruction-only with an included shell script. No packages are downloaded or extracted by the skill itself. The script requires standard tools (curl, jq) which are declared in the docs.
- Credentials
- noteThe skill declares no required environment variables. API authentication is handled via scripts/config.json (api_key) rather than env vars. Storing an API key in the config file is functional but users should note it may be stored in plaintext under the skill directory. The default api_url is localhost (127.0.0.1) but the example config points to a remote host (https://api.acemusic.ai) — confirm and trust the API endpoint before use.
- Persistence & Privilege
- okalways:false (not force-included). The skill writes its own config.json and outputs to a project-level output folder (acestep_output) but does not request system-wide configuration changes or other skills' secrets.