Hum2Song
Security checks across malware telemetry and agentic risk
Overview
Hum2Song's artifacts match its local music-conversion purpose, with the main caution being user-installed third-party audio/AI dependencies and optional model downloads.
This appears safe to use for local audio-to-song conversion. Before installing, verify the Python/system packages and optional ACE-Step repository, consider using a virtual environment, and avoid AI mode unless you are comfortable with the additional local model download and code dependency.
VirusTotal
60/60 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing dependencies from package managers or a GitHub repository can run third-party code on the user's machine.
The skill relies on user-installed third-party packages and an optional external repository without pinned versions; this is central to the music-processing purpose and disclosed as manual setup, but users should verify provenance.
pip install basic-pitch pretty_midi librosa soundfile numpy ... git clone https://github.com/ace-step/ace-step.git ... pip install -r ace-step/requirements.txt
Install in a virtual environment, review the ACE-Step repository before use, and prefer pinned or trusted versions where possible.
If the local ACE-Step checkout or model source is untrusted, enabling AI mode could run untrusted code or consume significant disk/network resources.
When `--use-ai` is selected, the script imports and runs a locally installed ACE-Step package and loads model weights; this is optional and purpose-aligned but executes code outside the reviewed skill.
sys.path.insert(0, os.path.expanduser("~/ace-step"))
from ace_step import MusicGenerator
generator = MusicGenerator.from_pretrained("ace-step/base")Use `--use-ai` only after intentionally installing ACE-Step from a trusted source; otherwise rely on the default SoundFont mode.