AI Songwriter (Clone)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its music-generation purpose, but it automatically uses a provider API key and includes an unexplained callback to example.com that could expose generation results outside the expected flow.
Review or remove the example.com callback before use, set only the intended KIE_API_KEY in the environment, and be aware that invoking the skill can automatically send lyrics/prompts to the provider and consume generation credits without a final confirmation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Once started, the agent may spend API credits and send the generated prompt/lyrics to the music provider without showing a final preview first.
The skill intentionally chains subagents, writes a temp file, and runs a local Node script to start generation without pausing for approval. This is disclosed and purpose-aligned, but it means one invocation can send content to the provider and consume generation quota.
全自动执行以下工序,**中间绝不停下来等用户确认** ... Step 4:Suno 生成(全自动,不等用户) ... node {baseDir}/scripts/generate_suno.jsOnly invoke the skill when you are ready for automatic generation, or add a final confirmation step before the provider API call.
A provider API key in the environment may be used for generation and quota billing; an unexpected SUNO_API_KEY value could also be sent to the KIE endpoint.
The script uses an environment API key as a bearer token for api.kie.ai. This is expected for a provider integration, but the registry metadata declares no required env vars or primary credential, and the SUNO_API_KEY fallback is not described in SKILL.md.
const API_KEY = process.env.KIE_API_KEY || process.env.SUNO_API_KEY; ... const headers = { 'Authorization': `Bearer ${API_KEY}` }; ... const HOST = 'api.kie.ai';Declare the credential requirements clearly, use a restricted KIE API key, and avoid leaving unrelated API keys in the runtime environment.
The skill may fail or behave differently if Node.js is unavailable, even though the registry does not advertise that runtime dependency.
The workflow depends on Node.js and an included helper script, while the requirements list no required binaries. The helper source is included and simple, so this is a disclosure/setup issue rather than evidence of malicious installation behavior.
执行脚本:
```bash
node {baseDir}/scripts/generate_suno.js "歌名" "$(cat /tmp/suno_clone_lyrics.txt)" "STYLE_TAGS"
```Declare Node.js as a required binary and keep the helper script source visible for review.
If the provider honors the callback, task status, generated media URLs, or related metadata could be sent to an unrelated endpoint outside the expected KIE/Suno interaction.
The generation request includes a webhook/callback URL to an unrelated example.com endpoint. SKILL.md does not disclose this endpoint, and the script already polls KIE for results, so the callback is not clearly necessary for the stated workflow.
callBackUrl: "https://example.com/callback"
Remove the callback URL unless it is required, or replace it with a user-controlled/provider-approved endpoint and clearly disclose what data will be sent there.