Song Creation
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is plausibly for song creation, but it needs review because it runs a local AI server, relies on unreviewed local instructions, and has weak safeguards around local file paths and setup.
Review this skill before installing or using it. It appears aligned with creating songs, but setup.sh installs substantial third-party software and models, the local ComfyUI server should not be left running unnecessarily, and song titles should be sanitized before generating files. Also verify the referenced ComfyUI operation manual path before allowing the engine sub-agent to follow it.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A stale or modified local manual could change what the engine agent does during generation, including commands it runs.
The core engine task is told it must read this local manual before acting, but that file is not included in the manifest, and setup.sh creates a different manual path. This makes an unreviewed local file authoritative for the sub-agent.
cat ~/.openclaw/workspace/tools/comfyui操作手册.md
Package the manual with the skill, reference the exact reviewed path, and treat local helper instructions as untrusted unless the user explicitly approves them.
A crafted or accidental song name containing path traversal characters could cause the generated MP3 to be moved outside the intended output folder or overwrite another user-owned file.
The generated output filename is built directly from song_name without sanitizing path separators or resolving it back under the intended output directory.
prefix = f"{date_str}/audio/{song_name}" ... dst = os.path.join(dst_dir, f"{song_name}.mp3") ... shutil.move(src, dst)Sanitize song names to a safe basename, reject slashes and '..', and verify the resolved destination remains inside ~/.openclaw/workspace/output.
If the local ComfyUI server is left running, other local programs or browser pages may have a wider path to submit jobs to it than users expect.
The startup script enables CORS for the local ComfyUI API. Binding to 127.0.0.1 limits network exposure, but CORS can allow browser-origin requests to interact with the local service while it is running.
python main.py --listen 127.0.0.1 --enable-cors-header
Disable CORS unless required, keep the service bound to localhost, stop ComfyUI when not in use, and avoid opening untrusted web pages while it is running.
If followed, this could terminate unrelated Python programs named main.py, potentially disrupting other work.
The crash-recovery instructions use a broad process match rather than targeting only the ComfyUI process or its PID.
pkill -f "python.*main.py"
Replace this with a scoped shutdown method, such as tracking the ComfyUI PID or matching the exact ComfyUI path, and ask the user before killing processes.
Running setup.sh gives third-party packages and downloaded models access to the local environment during installation and later use.
The installer pulls third-party code, Python dependencies, and model files without pinned commits or checksum verification. This is expected for a local ComfyUI setup but should be visible to the user.
git clone https://github.com/comfyanonymous/ComfyUI.git ... "$VENV_DIR/bin/pip" install -r "$COMFYUI_DIR/requirements.txt" ... wget ... huggingface.co/Looky916/AceStep-v1.5
Inspect setup.sh before running it, prefer pinned versions and hashes, and run it in a dedicated environment where possible.
Song ideas and lyrics may be processed by multiple model sessions/providers, and one listed model is described as a paid API.
The workflow intentionally passes song prompts, lyrics, and arrangement details through spawned sub-sessions and external model providers. The context is marked isolated, and this is aligned with the skill purpose.
`sessions_spawn` 创建全新的子会话 ... model: `custom-integrate-api-nvidia-com/deepseek-ai/deepseek-v4-pro` ... model: `deepseek/deepseek-v4-flash`
Do not include private information in song prompts unless you are comfortable sending it through the configured model providers, and confirm any provider cost before use.
Installation can modify ~/ai, create a Python virtual environment, and download about 18GB of assets.
The included setup script performs local shell setup, package installation, model downloads, and startup-script creation. This is consistent with local audio generation but is more than an instruction-only skill.
# Song Creation Skill - One-Click Setup ... This script installs ComfyUI + AceStep + required models
Run setup only after reviewing it, preferably in an isolated user environment, and make sure you have enough disk space and GPU support.