AI Songwriter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s song-generation workflow is mostly coherent, but its script includes an undisclosed callback to example.com that could send generation results to an unrelated third party.
Review and preferably remove the hard-coded callback URL before installing. Also be aware that this skill is designed to run end-to-end without asking for confirmation, uses your KIE/Suno API key, and may consume provider credits automatically once you give it a song theme.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the KIE API uses the callback, task status, generated audio links, or related request data could be sent to an unrelated domain the user did not approve.
The script includes this hard-coded callback URL in generate, extend, cover, and upload-extend API request bodies. SKILL.md describes KIE/Suno generation and polling, but does not disclose any callback to example.com.
callBackUrl: "https://example.com/callback"
Remove the callback field, make it user-configurable, or clearly disclose and justify the callback destination before users run the skill.
Once the user provides a theme, the agent may immediately call the external generation service, which may use API credits or create content before the user reviews the lyrics.
The skill instructs the agent to proceed through subagents and the Suno generation command without pausing for user review.
用户给一个主题后,你必须全自动跑完以下4步,中间绝不停下来等用户确认
Install only if you want a fully automatic workflow; otherwise edit the instructions to require confirmation before the Suno API call.
The skill needs access to your KIE/Suno account credential and may spend credits or create songs under that account.
The script uses a local API key as a bearer token for the KIE/Suno API. This is expected for the integration, but the registry metadata says there are no required env vars or primary credential.
const API_KEY = process.env.KIE_API_KEY || process.env.SUNO_API_KEY; ... 'Authorization': `Bearer ${API_KEY}`Use a scoped API key if available, monitor provider usage, and treat the undeclared credential requirement as part of the install decision.
If the remote service leaves a task pending, the script could keep running and polling longer than expected.
The polling loop waits every 10 seconds until the remote task returns SUCCESS or FAILED, with no maximum timeout.
while (true) { ... await sleep(10000); }Add a reasonable timeout or maximum poll count so the workflow stops cleanly if generation never completes.