Music Generation
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only music generation guide; it uses expected music providers, API tokens, and optional local setup examples, but shows no hidden or malicious behavior.
This skill appears safe as an instruction-only guide. Before installing packages, using unofficial APIs, or uploading audio/lyrics to a provider, verify the service, protect your API keys, and check licensing and commercial-use terms.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using provider tokens may incur account charges or expose API access if secrets are pasted into chat or stored insecurely.
The skill documents use of a provider API token for Replicate. This is expected for the stated purpose, but it gives access to a paid third-party service and is not declared in the registry credential metadata.
export REPLICATE_API_TOKEN="r8_xxx"
Use only your own provider keys, avoid sharing secrets in prompts, and check provider billing and permissions before use.
Running setup commands installs third-party packages on the user's machine, which can affect the local Python environment.
The documentation includes optional package installation for local music generation. This is purpose-aligned and not automatic, but it still asks the user to install external code.
pip install audiocraft
Run setup commands only in a trusted virtual environment and verify package sources before installing.
Prompts, lyrics, or uploaded reference audio could be sent to third-party services under their terms and retention policies.
One provider example uploads a local audio file to an external API. This is aligned with melody-conditioned music generation, but users should understand that local audio may leave their device.
"input_audio": open("melody.wav", "rb")Only upload audio or lyrics you are comfortable sharing with the selected provider, and review provider privacy and licensing terms.
Unofficial APIs may have different security, privacy, pricing, reliability, or terms-of-service implications than the original provider.
The Suno provider guide explicitly points to unofficial third-party API wrappers. This is disclosed and relevant to the music generation purpose, but it introduces extra trust and provenance considerations.
**Note:** No official public API. Third-party wrappers available:
Prefer official provider interfaces when available, and carefully vet any unofficial API service before sending prompts, lyrics, files, or API keys.