Skywork Music Maker
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Mureka music-generation skill, but users should notice that it uses their Mureka API key and can send lyrics, prompts, and uploaded audio or vocal samples to Mureka.
Before installing, make sure you are comfortable using your own Mureka API key and sending prompts, lyrics, and any selected audio or vocal samples to Mureka. Confirm generation prompts, output folders, and upload file paths, and only use voice/reference audio you have permission to process.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private lyrics, reference tracks, or voice samples may be uploaded to Mureka as part of generation.
The skill clearly discloses that user prompts and uploaded audio, including vocal samples, leave the local machine and are processed by Mureka.
Lyrics text, music prompts, and uploaded audio files (reference tracks, vocal samples, melodies) are sent to Mureka servers for music generation
Only upload audio you have rights and consent to use, and avoid sending sensitive or private voice samples unless you are comfortable with Mureka processing them.
Generated music requests may use your Mureka account quota or paid credits.
The CLI authenticates to Mureka with the user's API key, which is expected for the service but grants access to the user's Mureka account and billing.
key = os.getenv("MUREKA_API_KEY") ... return {"Authorization": f"Bearer {key}", "Content-Type": "application/json"}Use a dedicated Mureka API key if possible, keep it secret, and monitor your Mureka usage and billing.
If the wrong file path is provided, an unintended local audio file could be uploaded.
The upload command can read a user-specified local file and upload it to Mureka; this is central to reference-track and vocal-cloning features and is documented as user-initiated.
with open(file_path, "rb") as f: resp = requests.post(url, headers={"Authorization": f"Bearer {key}"}, files={"file": f}, data={"purpose": purpose}, timeout=120)Confirm file paths before upload, especially for vocal samples or private recordings.
Installation depends on the package resolver fetching the current requests package and its dependencies.
The skill installs the common HTTP library requests without a pinned version; this is ordinary for an API wrapper but is still a small supply-chain notice.
uv | package: requests
Install in a standard managed environment and consider pinning dependencies if you require reproducible installs.