ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Music Studio

v1.0.10

面向大模型(LLM)的轻量音乐创作工作台,通过自然语言交互生成音乐、歌词与翻唱。默认采用保守的本地配置与输出管理方式,当前正式支持 MiniMax 歌词、`music-2.6` 文本生成音乐,以及 `music-cover` 前处理配合 `music-2.6` 的两阶段翻唱链路;只有明确说「打开音乐工作室」才进入...

0· 155·0 current·0 all-time
by@mrgyan

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mrgyan/music-studio.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Music Studio" (mrgyan/music-studio) from ClawHub.
Skill page: https://clawhub.ai/mrgyan/music-studio
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install music-studio

ClawHub CLI

Package manager switcher

npx clawhub@latest install music-studio
Security Scan
Capability signals
CryptoRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and code align: the package implements lyrics generation, text→music generation, and a two-step cover workflow using a MiniMax provider (endpoints under https://api.minimaxi.com/v1). The code only requires a provider API key and local file I/O for outputs, which are expected for this functionality.
Instruction Scope
SKILL.md and the conversation engine restrict activation to explicit trigger phrases and document behavior. At runtime the skill reads/writes a local config.json (~/.config/music-studio/config.json), writes outputs/metadata to an output directory, downloads user-supplied audio URLs, and sends payloads (including audio URLs and lyrics/prompts) to the external API. These actions are within the stated purpose but involve network access and arbitrary URL downloads, so they carry expected operational risk.
Install Mechanism
No install spec; the skill is instruction/code-only and does not fetch or run arbitrary installers. There is no external download/install URL in the registry metadata. This is lower risk than bundled install scripts or remote archive extraction.
!
Credentials
The skill requires an external API key at runtime (documented in SKILL.md and implemented in code via config.get_api_key/save_config), but the registry metadata lists no required env vars or primary credential. That metadata omission is inconsistent and could mislead users/automations. Also the key is stored in plaintext in a local config.json by default — functional but a potential secrecy risk if users don't secure the file or mistakenly publish packaged config.
Persistence & Privilege
always:false and the skill does not modify other skills or system-wide agent settings. It does persist data to the user's filesystem (config.json and output files) and automatically creates session files and library entries. This is expected behavior for a local workspace but should be noted: files (including audio downloads) will be written to disk and older outputs may be auto-deleted by the clean routine.
What to consider before installing
What to check before installing: - The skill needs a provider API key (MiniMax). The code saves keys to ~/.config/music-studio/config.json in plaintext — do not publish that file or embed a real key in shared packages. Prefer using a throwaway or limited-scope key and run clear-key when done. - Registry metadata does not declare the required credential: treat that as a red flag and ensure you understand/approve where the key is stored before enabling the skill. - The skill will perform outbound network calls to https://api.minimaxi.com/v1 and will download user-supplied audio URLs (it fetches arbitrary URLs and writes them to disk). If you don't trust the remote audio URLs, avoid using the cover feature or inspect the URLs first. - Files (library.json, .url, .mp3, .meta.txt, lyrics files) are written into an output directory (default under the package output/ or an XDG-configured location). Check and set the output_dir in config if you want a specific location, and verify file permissions. - The skill’s activation is guarded by explicit trigger phrases in its conversation layer, but platform-level autonomous invocation could still call it; since it requires a local API key to do anything useful, the blast radius is limited unless you provide a key. - If you plan to publish or move this environment, run the provided prepublish_check and remove any config.json with real keys. Consider auditing the provider endpoint (api.minimaxi.com) and the MiniMax provider code if you require higher assurance. If you want more confidence: request that the publisher update the registry metadata to declare the primary credential and its storage behavior, or inspect/modify the code locally so keys are stored in a secret manager or not persisted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f796tmd0bqmhq1vbeq16bbn85e8p7
155downloads
0stars
10versions
Updated 4d ago
v1.0.10
MIT-0
@mrgyan
latest
Download

Music Studio v1.0.10

MiniMax 音乐创作工作台,对话式引导交付结果。

当前版本正式支持 MiniMax:

  • 歌词生成/v1/lyrics_generation
  • 文本生成音乐music-2.6
  • 翻唱music-cover 前处理 → music-2.6 最终生成

对话式交互

唤醒:用户说「打开音乐工作室」→ 进入引导流程

流程说明

用户:打开音乐工作室
↓
小盆子:🎵 音乐工作室已就绪!
        请问想做什么?
        1️⃣ 生成音乐
        2️⃣ 写歌词
        3️⃣ 翻唱
        4️⃣ 查看音乐库
        5️⃣ 导出 / 清理
        6️⃣ 会话历史

翻唱实现说明(重要)

当前 MiniMax 翻唱链路不是“直接用 music-cover 产出音频”,而是:

  1. POST /v1/music_cover_preprocess,模型使用 music-cover
  2. 拿到 cover_feature_id 与自动提取歌词
  3. POST /v1/music_generation,模型使用 music-2.6
  4. 传入 cover_feature_idlyricsprompt 完成最终生成

因此,配置中的 cover_model 实际表示翻唱前处理模型;最终音频生成仍使用 music_model

风险说明

该 skill 运行时依赖外部 API Key,并会读写本地配置及输出文件。发布到 ClawHub 时不应包含任何真实 key。

CLI 命令

python -m music_studio set-key
python -m music_studio clear-key
python -m music_studio lyrics "<主题>" [--title "标题"] [--edit "歌词"]
python -m music_studio music "<描述>" [歌词] [--instrumental] [--optimizer] [--format url|hex]
python -m music_studio cover "<描述>" --audio <URL> [--lyrics <歌词>]
python -m music_studio library list | get <id> | lyrics <id> | url <id> | download <id>
python -m music_studio library export lyrics <id> | export all | clean | purge
python -m music_studio init / reset / help

Key 策略

  • 默认 API Key 保存在用户本机 ~/.config/music-studio/config.json 中,使用 set-key 管理
  • 仓库与发布包中不得包含任何真实 API Key
  • 可提供 config.example.json 作为示例,但示例文件只能放占位值
  • 初始化与对话式 setup 都会做真实 API 校验,避免“假成功”
  • 发布前可运行:python scripts/prepublish_check.py

Session 管理器

每次「打开音乐工作室」创建独立会话,数据保存在 output/sessions/

  • 会话历史:说「6」或「会话历史」查看,输入序号恢复
  • 自动清理:超过 30 天未更新的会话自动删除
  • 每次新会话:打开即新建,不重复复用

版本历史

精简发布说明:1.0.10 完成 API Key 配置策略收敛(移除环境变量依赖,统一本地 config.json)、补齐发布防泄漏规则与发布前自检,适配 ClawHub 发布。

Comments

Loading comments...