Strudel Music
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or unreviewed composition could read local files, environment variables, or make network requests when rendered.
The skill openly states that rendered composition files are executable JavaScript with broad local access. This is central to Strudel live-coding, but it is important security-sensitive behavior.
Compositions are JavaScript files evaluated by Node.js. They CAN access the filesystem, environment variables, and network.
Render only trusted or reviewed composition files, avoid running with secrets in the environment, and use a container or VM for untrusted compositions as the skill itself recommends.
Installing dependencies or downloading samples can run third-party package lifecycle code or retrieve external assets.
Setup involves installing Node dependencies and running a sample-download script. This is expected for an audio-rendering skill but still introduces dependency and download provenance risk.
script: "npm install && bash scripts/download-samples.sh"
Review package files and download scripts before setup, and run installation in a least-privileged workspace.
Rendered audio may be posted or streamed into Discord using the current gateway’s permissions.
The skill can use the already-authenticated OpenClaw Discord gateway to post or stream audio. This is disclosed and aligned with the music-playback purpose, but it uses delegated account authority.
posts audio or streams to Discord VC (via the OpenClaw gateway — no separate credentials needed)
Confirm the target Discord channel or voice channel before posting or streaming, especially in shared servers.
Running long renders incorrectly could interrupt the OpenClaw gateway or current session.
The documentation warns that the renderer can block the main session and disrupt the gateway if run inline. It also provides a mitigation using background execution or a sub-agent.
If you run it in your main OpenClaw session, it will kill the gateway after ~30 seconds
Use the documented background execution with a timeout or a dedicated sub-agent for rendering.