Lyria
v1.0.0Generate 30-second instrumental music via Google Lyria (Vertex AI). Use when user requests music generation, specific styles/keys/instruments, or music itera...
⭐ 0· 229·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the Python and shell scripts call Vertex AI Lyria endpoints, save WAV files, and support prompt iteration. Asking for a Google access token and project/location is appropriate for calling Vertex AI.
Instruction Scope
SKILL.md stays within the music-generation workflow (setup, obtain gcloud token, create config.json, generate files). It instructs creating files under ~/.openclaw/workspace/lyria and storing a bearer token in config.json (plaintext). The instructions require the agent or user to run gcloud auth flows and to refresh the bearer token manually — this is expected but should be done carefully because the token can grant broad Google API access.
Install Mechanism
There is no platform install spec (instruction-only), which reduces risk. The README suggests installing the Google Cloud SDK; the Linux install guidance uses curl https://sdk.cloud.google.com | bash (download-and-exec) which is common for gcloud but is higher-risk than a reviewed package manager step — users should verify the installer source and prefer package-managed installs when possible.
Credentials
The skill does not declare required environment variables in the registry metadata, but the runtime expects a config.json containing project_id, location, bearer_token, and output_dir. Requesting a Google bearer token is proportionate to calling Vertex AI, but the recommended method (personal gcloud access token written to a plaintext config file) can expose broad permissions; using a scoped service account or limiting token scopes and protecting the config file is advisable.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It only creates/uses files under the user's workspace path (~/.openclaw/workspace/lyria) and writes generated audio there, which is consistent with its purpose.
Assessment
This skill appears to do what it says (generate short instrumental tracks via Google Lyria). Before installing or running it, consider: 1) Protect credentials: the workflow asks you to put a bearer token in ~/.openclaw/workspace/lyria/config.json — store this file with strict permissions (chmod 600) or prefer a service account with minimal scopes instead of a personal token. 2) Token scope: a gcloud access token may be usable for other Google APIs; create/choose credentials with limited permissions when possible. 3) Installer caution: the Linux install suggestion pipes a remote script (curl | bash); verify the source or use your OS package manager. 4) Metadata mismatch: the skill metadata lists no required env vars, yet runtime needs a config file with a bearer token; confirm you’re comfortable providing credentials via the config file. 5) Review files before running: the bundled scripts make network calls only to Google Vertex AI endpoints and write WAV files to the workspace, but always inspect third-party scripts before execution.Like a lobster shell, security has layers — review code before you run it.
latestvk97fd90hga8n976ys4p1k2kpm58295rq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.