ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Producer Music

v1.0.0

Generate AI music with Producer via AceDataCloud API. Use when creating songs, generating lyrics, extending tracks, creating covers, swapping vocals/instrume...

0· 57·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the actions you would expect for an AI music Producer (generate, cover, extend, upload, fetch WAV/video). Requiring an API token for AceDataCloud is appropriate for this purpose. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md explicitly states it requires ACEDATACLOUD_API_TOKEN—this is an internal inconsistency.
Instruction Scope
Runtime instructions are limited to HTTP calls to api.acedata.cloud endpoints and uploading reference audio. They do not instruct the agent to read local files, other environment variables, or unrelated system paths. One scope-related note: uploading reference audio will transmit user audio to a third-party service; SKILL.md provides no privacy/retention guidance.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only and will not write or execute code on disk as part of installation.
!
Credentials
The SKILL.md requires ACEDATACLOUD_API_TOKEN (reasonable and expected), but the registry metadata declares no required env vars or primary credential. That mismatch could be an oversight or misconfiguration in the published metadata; it reduces transparency about what secrets the skill will need.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or to modify other skills. Autonomous invocation is allowed (platform default), which is expected for a functional skill.
What to consider before installing
Before installing, confirm the skill's provenance (author/homepage) and that api.acedata.cloud is the intended service. The SKILL.md requires ACEDATACLOUD_API_TOKEN but the registry metadata does not list it—ask the publisher to correct this or refuse until fixed. If you test this skill, use a limited-scope or throwaway API token (do not reuse production credentials). Be aware that uploading reference audio or lyrics will send your content to the third-party service; review their privacy/retention and copyright policies. If possible, verify expected endpoints and responses with a test account and monitor network activity when first using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975pwy0bggncnmbw99dbm06p983cgbr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments