ClawHub

Lyria

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Lyria appears to do what it says—call Google Vertex AI to generate WAV music—but users should handle the Google Cloud token and SDK setup carefully.

Before installing, confirm you trust the Google Cloud SDK setup path, use a least-privilege Google Cloud project, keep ~/.openclaw/workspace/lyria/config.json private because it contains a bearer token, and avoid including sensitive information in music prompts.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Anyone who can read the config while the token is valid may be able to use the associated Google Cloud permissions, and API usage may incur costs.

Why it was flagged

The skill asks the user to store a Google Cloud access token in a local config file so the script can call Vertex AI. This is expected for the integration, but it is credential material.

Skill content
"bearer_token": "ya29.a0AfH...your-token-here"
Recommendation

Use a least-privilege Google Cloud project or account, keep the config file private, remove expired tokens, and do not share the token or config contents.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

A user who follows the Linux setup command will run an external installer on their machine.

Why it was flagged

The first-time setup includes a user-directed remote installer for the Google Cloud SDK. This is a common setup path and relevant to the skill, but it executes code fetched from the network.

Skill content
curl https://sdk.cloud.google.com | bash
Recommendation

Install Google Cloud SDK from official Google documentation or a trusted package manager, and avoid running installer commands with unnecessary privileges.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Music prompts and project-related request data are sent to Google Vertex AI for generation.

Why it was flagged

The script sends the music prompt and bearer-token-authenticated request to the Google Vertex AI endpoint. This external provider call is clearly tied to the stated purpose.

Skill content
requests.post(url, headers=headers, json=data)
Recommendation

Avoid putting sensitive private information in music prompts and ensure the selected Google Cloud project is appropriate for this use.