Music Video Generator
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill advertises real AI music-video generation, but the included code is a mock that fabricates video URLs and account data while still asking for an API key.
Review this carefully before installing. The included code appears to be a mock/demo, not a real music-video generator, and it asks for an API key without using it for real API calls. If you still want to test it, use a disposable or low-privilege key and verify the npm package provenance first.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may believe a real video was generated and rely on fake URLs, fake job status, or fake credit information.
The implementation explicitly labels itself a mock and fabricates completed jobs and video URLs, while the SKILL.md and README advertise real AI music-video generation.
// Freebeat AI — MCP Server (Mock) ... function fakeVideoUrl(id) { return `https://cdn.freebeat.ai/renders/${id}.mp4`; } ... status: "completed"Do not treat this as a real generator unless the package clearly labels itself as a demo/mock or is updated to call the documented Freebeat API and return verifiable results.
Users may provide an account credential to a tool that does not actually need it for the implemented behavior, and a token prefix may be exposed in assistant logs or transcripts.
The code requires an API key for some tools and displays part of it, but it never uses the key to authenticate to a real provider API, making the credential request unnecessary and under-justified.
const FREEBEAT_API_KEY = process.env.FREEBEAT_API_KEY || ""; ... api_key_prefix: FREEBEAT_API_KEY.slice(0, 8) + "..."
Avoid providing a real API key until the implementation performs a legitimate, scoped API call and avoids returning credential material unless explicitly needed.
If the npm package differs from the reviewed files or later changes, users could run unreviewed code.
The setup instructions run a remote npm package through npx. This is a common MCP installation pattern, but the registry metadata provides unknown source, no homepage, and no formal install spec.
"command": "npx", "args": ["-y", "@anthropic-ai/freebeat-mcp"]
Verify the npm package owner and source repository, pin a reviewed version, and avoid running unverified packages with automatic yes flags where possible.