Back to skill
Skillv1.0.0
ClawScan security
AI Songwriter (Clone) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 12:14 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely does what it claims (autonomous Suno-style song generation) but has several inconsistencies and risky details (undeclared required env var, missing runtime/binary requirements, ambiguous path placeholders, and automatic network callbacks) that warrant caution before installing.
- Guidance
- Before installing, be aware of several issues: (1) The skill requires an API key (KIE_API_KEY or SUNO_API_KEY) but the registry metadata does not declare this — you will need to provide a key and that key will be sent to api.kie.ai. Ensure the key has limited scope and is trusted. (2) The skill expects node.js to be available and will execute scripts on your agent; confirm your environment and that you trust the included script. (3) The SKILL.md forces fully autonomous operation (spawning subagents, writing /tmp/suno_clone_lyrics.txt, and invoking the script without further confirmation). If you want confirmation before network calls or generation, do not enable autonomous invocation. (4) The script sends a callBackUrl field (https://example.com/callback) to the remote API — confirm what callbacks the remote service will perform and consider replacing or removing that URL if you control the integration. (5) The SKILL.md contains an unexpanded '{baseDir}' placeholder in the node invocation; verify how your agent will substitute that to avoid runtime errors or accidental execution from unexpected paths. (6) The skill author is unknown — consider source trustworthiness and legal/IP risks of automated 'style-clone' generation before use. If you decide to proceed, test in a safe environment, limit the API key permissions, and require explicit user confirmation rather than fully automatic runs.
Review Dimensions
- Purpose & Capability
- noteThe skill's stated purpose (style-clone songwriting via a Suno-like API) matches the included script which calls api.kie.ai. However the skill metadata declares no required environment variables or binaries while the SKILL.md and the script require an API key (KIE_API_KEY or SUNO_API_KEY) and assume node.js is available. That mismatch is unexpected and should have been declared.
- Instruction Scope
- concernSKILL.md instructs fully autonomous behavior: spawn parallel subagents, perform analyses, write lyrics to /tmp/suno_clone_lyrics.txt and immediately invoke the included script without asking the user further. This grants the skill broad runtime discretion (including writing files and making network calls) and the instructions include an unexpanded '{baseDir}' placeholder — a potential source of runtime failures or mis-executions if the agent doesn't substitute it correctly.
- Install Mechanism
- noteThere is no install spec (instruction-only + a code file), which is low risk from an installer perspective. However the skill includes a Node script that will be executed; the metadata does not declare that node/npm is required. No external downloads or obscure URLs are used in the code itself (it calls a legitimate-looking API host).
- Credentials
- concernThe SKILL.md and script require an API key via KIE_API_KEY (or SUNO_API_KEY), which is proportionate to making requests to api.kie.ai. But the registry metadata lists no required environment variables — an inconsistency. The script also posts a callBackUrl field (https://example.com/callback) to the remote API, which could cause out-of-band callbacks or metadata leakage depending on the remote service behavior.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide configs, and does not ask for persistent privileges. Autonomous invocation is allowed by default but that alone is not a flag; note that the instructions intentionally perform actions without further user confirmation.