Al Music Generation
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent ShortAPI music-generation integration that requires a ShortAPI key and uses bounded background polling, with no artifact-backed evidence of deceptive or destructive behavior.
Before installing, confirm you are comfortable sending prompts and generation requests to ShortAPI, provide only a ShortAPI key, avoid putting secrets in prompts or callback URLs, and ensure the agent limits polling to user-started jobs for no more than 5 minutes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill lets the agent make ShortAPI job requests with the user's ShortAPI key.
The skill requires a ShortAPI credential and uses it to authenticate API calls. This is expected for the stated integration, but it is still account authority the user should protect.
"requires": { "env": ["SHORTAPI_KEY"] } ... "Authorization: Bearer $SHORTAPI_KEY"Use only a ShortAPI-specific key, keep it in the environment rather than chat, and rotate it if exposed.
A changed or overly broad remote model document could influence how the agent builds ShortAPI requests.
The agent relies on a runtime-fetched Markdown document to construct API arguments. That is purpose-aligned, but retrieved content should be limited to schema interpretation and not treated as authority for unrelated instructions.
You **MUST** first fetch the detailed skill document ... The document returned in Step 1 is the sole source of truth for the model's input schema.
Treat fetched model documents as parameter schemas only; ignore unrelated instructions, credential requests, or tool-use directions in those documents.
After starting a generation job, the agent may keep querying ShortAPI for status for up to 5 minutes without further prompts.
The skill directs autonomous background polling after a job starts. The behavior is disclosed and bounded, but users should understand the agent may continue making status requests for a short period.
The Agent should poll the status endpoint for a maximum of **5 minutes** per job ... You **MUST** continue to poll the status endpoint in the background silently.
Allow polling only for user-started jobs and ensure the 5-minute limit and current-conversation-only state handling are enforced.