Music Generation
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: music-generation Version: 1.0.0 The skill bundle consists entirely of documentation files (`.md`) and a metadata file (`_meta.json`). The `SKILL.md` provides instructions for the AI agent that are aligned with the stated purpose of music generation, without any evidence of prompt injection attempts to deviate from this purpose. The other `.md` files contain legitimate Python code snippets demonstrating interaction with various music generation APIs (Mubert, Replicate, Stability AI, Soundraw) and local libraries (MusicGen, Stable Audio Open, Riffusion). File I/O operations are limited to reading/writing audio files, which is central to the skill's function. While some documentation mentions unofficial APIs for Suno and Udio, this is presented as information for the user rather than an instruction to engage in malicious activity. There is no evidence of data exfiltration, unauthorized execution, persistence mechanisms, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using provider tokens may incur account charges or expose API access if secrets are pasted into chat or stored insecurely.
The skill documents use of a provider API token for Replicate. This is expected for the stated purpose, but it gives access to a paid third-party service and is not declared in the registry credential metadata.
export REPLICATE_API_TOKEN="r8_xxx"
Use only your own provider keys, avoid sharing secrets in prompts, and check provider billing and permissions before use.
Running setup commands installs third-party packages on the user's machine, which can affect the local Python environment.
The documentation includes optional package installation for local music generation. This is purpose-aligned and not automatic, but it still asks the user to install external code.
pip install audiocraft
Run setup commands only in a trusted virtual environment and verify package sources before installing.
Prompts, lyrics, or uploaded reference audio could be sent to third-party services under their terms and retention policies.
One provider example uploads a local audio file to an external API. This is aligned with melody-conditioned music generation, but users should understand that local audio may leave their device.
"input_audio": open("melody.wav", "rb")Only upload audio or lyrics you are comfortable sharing with the selected provider, and review provider privacy and licensing terms.
Unofficial APIs may have different security, privacy, pricing, reliability, or terms-of-service implications than the original provider.
The Suno provider guide explicitly points to unofficial third-party API wrappers. This is disclosed and relevant to the music generation purpose, but it introduces extra trust and provenance considerations.
**Note:** No official public API. Third-party wrappers available:
Prefer official provider interfaces when available, and carefully vet any unofficial API service before sending prompts, lyrics, files, or API keys.