ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

music-transposer

v1.0.0

Transpose music keys

0· 77·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description say 'Transpose music keys' which is reasonable, but the usage shows running python3 scripts/music_transposer.py while the package contains no code files. The manifest declares no required env vars or binaries, yet instructions require an API key and a script path — these do not align with the stated, minimal purpose.
!
Instruction Scope
SKILL.md tells the agent to run a local script path (scripts/music_transposer.py) and to set TRANSPOSE_API_KEY. There are no included scripts and TRANSPOSE_API_KEY is not declared in registry metadata. Instructions therefore reference files/credentials outside the skill bundle and grant the agent broad discretion to execute a local script if present.
Install Mechanism
No install spec and no code files are included, so nothing will be written to disk by an installer. That minimizes install-time risk, but leaves runtime behavior ambiguous because the instructions expect external artifacts.
!
Credentials
SKILL.md asks users to set TRANSPOSE_API_KEY, but the registry metadata lists no required environment variables or primary credential. Requesting an unspecified API key is plausible for an external transpose service, but the mismatch is unexplained and could lead to accidental exposure of credentials.
Persistence & Privilege
The skill does not request elevated privileges, always:true is not set, and there are no install hooks. It does, however, instruct runtime execution of a local script if available, which could be risky depending on that script's contents.
What to consider before installing
Do not install or run this skill until the author clarifies two things: (1) provide the actual code (scripts/music_transposer.py) or change the usage instructions to match what is included, and (2) explain why TRANSPOSE_API_KEY is needed and add it to the declared requirements. If you must test it, do so in a sandboxed environment and do not expose real API keys. Prefer skills with a repository or homepage and explicit, matching metadata; ask the publisher for source code and exact runtime expectations before trusting any API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk9766tdxn09502z3drsh2yrbzs83ja49

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments