ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

music generate

v1.0.0

Music composition assistant. Accepts natural language input, guides the user through multi-turn interaction to define genre, mood, theme, tempo, and other mu...

0· 45·0 current·0 all-time
by@gentleyo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (music composition assistant that builds prompts for Suno/Udio and saves output) matches the SKILL.md content. The steps (multi-turn elicitation, prompt generation, instructions for using web UI or local API wrappers, and saving files) are coherent with the stated purpose.
!
Instruction Scope
The SKILL.md includes executable guidance and a Python snippet that reads SUNO_API_URL from the environment and downloads audio URLs, but the skill metadata declared no required env vars. The instructions also advise storing account session credentials in a local .env file and using community API wrappers — this directs the user/agent to handle credentials and to write files to user-specified paths (which could be any filesystem location). The code downloads content from arbitrary URLs returned by the API and writes it to disk without extra validation. These behaviors are plausible for the feature but expand scope (credential handling, filesystem writes, network fetches) beyond what the metadata advertises.
Install Mechanism
No install spec or code files are present; the skill is instruction-only. That minimizes disk footprint and installation risk.
!
Credentials
The metadata lists no required environment variables, yet the runtime instructions and sample code require SUNO_API_URL and discuss storing session credentials in a .env. Asking users to supply account session credentials (for community wrappers) is sensitive and should be declared explicitly. The skill's declared surface does not justify or disclose this credential handling.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or make changes to other skills or global agent configuration. Autonomous invocation is allowed (platform default) but is not combined with other high-privilege requests.
What to consider before installing
This skill appears to do what it says (help craft prompts and save generated music), but the instructions ask you to configure a local API endpoint (SUNO_API_URL) and to use community wrappers that require session credentials — none of which are declared in the skill metadata. Before installing or using this skill: - Prefer the web interface option (paste prompts into Suno/Udio web apps) if you don't want to share credentials or run local wrappers. - If you run a community wrapper, inspect its source, run it locally in a sandbox, and avoid pointing SUNO_API_URL at a remote server you don't control. - Do not store session cookies or account credentials in places that could be checked into source control; use a secure secrets mechanism. - Be cautious when choosing the output save path — avoid system or sensitive directories. - Ask the skill author to declare required environment variables (e.g., SUNO_API_URL) and to explain exactly what credentials are needed and why; a coherent metadata declaration would increase trust. Given the undeclared credential and environment usage, treat this skill as suspicious until these clarifications are provided.

Like a lobster shell, security has layers — review code before you run it.

latestvk9701q35mmqy73kfta9ypzj1gh84m2hw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments