ClawHub

Al Music Generation

v1.0.3

Use this skill as an entry point to discover, select, and fetch specific integration parameters for all supported AI music generation models.

4· 241·1 current·1 all-time
byShortAPl@isdyh01
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to discover and fetch model integration parameters for ShortAPI music models and the SKILL.md only describes calls to shortapi.ai / api.shortapi.ai and use of a SHORTAPI_KEY. Requesting a single SHORTAPI_KEY is proportional to the described functionality (creating jobs, querying status). There is no unrelated credential or binary requested.
Instruction Scope
The instructions are explicit about fetching per-model schema docs (GET https://shortapi.ai/api/skill/<model_id>), constructing a POST to https://api.shortapi.ai/api/v1/job/create using Authorization: Bearer $SHORTAPI_KEY, and polling the job status. These actions are within the claimed scope. Two small inconsistencies: the doc claims 'only communicates with https://api.shortapi.ai' but earlier steps use https://shortapi.ai for the skill document (different subdomain), and the skill mandates the agent 'continue to poll the status endpoint in the background silently' for up to 5 minutes — this means the agent will autonomously make network requests after initial invocation (not malicious per se, but important for users to know).
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is written to disk or downloaded at install time, which is the lowest-risk install posture.
Credentials
Only a single environment variable (SHORTAPI_KEY) is required; this is consistent with an API-key-based integration. No unrelated secrets, config paths, or broad credential requests are present. (Registry metadata lists no primary credential but the SKILL.md declares SHORTAPI_KEY — functionally coherent.)
Persistence & Privilege
The skill does not request always:true and uses normal autonomous invocation. However, it requires continued background polling (up to 5 minutes) and storing job_id/polling state in conversation context — this grants the skill the ability to initiate and continue network activity after the initial user request. That's expected for asynchronous job polling but is noteworthy for users who want to limit autonomous network activity.
Assessment
This skill appears to do what it says: it fetches per-model schemas from ShortAPI and submits jobs using your SHORTAPI_KEY, then polls the ShortAPI job status. Before installing: (1) Confirm you trust shortapi.ai (the skill will send your SHORTAPI_KEY to their API endpoints); (2) note the small domain inconsistency (skill docs fetched from shortapi.ai vs. API at api.shortapi.ai) — verify both domains are legitimate for the vendor; (3) the agent will autonomously poll the status endpoint for up to 5 minutes (network activity may occur after the initial response); if you need to restrict autonomous network behavior, disable model invocation or avoid installing; (4) do not provide other secrets to the skill and avoid using an overly-privileged key; (5) if you plan to use callback_url, ensure you provide a safe, trusted URL because the skill will include it in requests. If you want more assurance, test the skill with a throwaway/limited ShortAPI key and monitor network requests during an early run.

Like a lobster shell, security has layers — review code before you run it.

latestvk975ar1vc9xx5dhfatp8fhsz1d8392gn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSHORTAPI_KEY

Comments