Skillv1.0.4

ClawScan security

Skywork Music Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 9, 2026, 12:32 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, code, and runtime instructions are consistent with a Mureka-based music generation tool and request only the Mureka API key and Python/requests; nothing obvious is mismatched or trying to access unrelated credentials or endpoints.
Guidance: This skill is internally coherent with its declared purpose (Mureka music generation). Before installing: 1) Confirm you trust the skill source/homepage and Mureka (the registry owner is not a well-known publisher here). 2) Use a dedicated Mureka API key/account with limited billing/quota (so you can revoke it if needed). 3) Inspect or run the Python script in a contained environment (venv or sandbox) and verify the 'requests' dependency is installed from PyPI; the installer label 'uv' is unusual — ask the publisher what installer 'uv' means or install dependencies yourself (pip install requests). 4) Be aware of privacy/legal concerns around uploading vocal samples or cloning voices — only upload samples you have the right to use. 5) If you need stronger assurance, ask the publisher for a signed release or host-of-record (e.g., GitHub release) so you can verify checksums. Overall this appears safe to proceed with standard precautions.

Purpose & Capability: okName/description (music generation via Mureka) aligns with requested resources: python3, requests dependency, and a single API key (MUREKA_API_KEY) for api.mureka.ai. The bundled CLI (scripts/mureka.py) implements the described functionality (song/instrumental/lyrics/upload).
Instruction Scope: okSKILL.md and the CLI instruct the agent to call only the Mureka API endpoints, save generated audio locally, and upload user-provided reference files only when explicitly requested. The instructions do not ask the agent to read arbitrary system files, other credentials, or contact unrelated endpoints.
Install Mechanism: noteOnly one dependency is declared (requests) which matches the code. The install kind is listed as 'uv' which is uncommon; this is likely an installer label mismatch but not inherently malicious. The package source appears to be the PyPI requests library (expected).
Credentials: okThe only required environment variable is MUREKA_API_KEY (primary credential), which is appropriate for a tool that calls the Mureka API. No other secrets or unrelated credentials are requested and the code only reads that env var.
Persistence & Privilege: okSkill does not request permanent 'always' inclusion, does not modify other skills, and requires no system-wide configuration. It writes outputs to user-specified output directories only (typical for a generation tool).