Album Pipeline
PassAudited by VirusTotal on Apr 30, 2026.
Overview
Type: OpenClaw Skill Name: album-pipeline Version: 0.1.0 The skill bundle implements a complex 6-phase AI music production pipeline using orchestrated sub-agents. It utilizes high-risk capabilities including shell command execution via CLI tools (minimax, mmx, ffmpeg, and zip) as seen in 'phase4-music-executor/SKILL.md' and 'audio-transcoder/SKILL.md'. While these capabilities are aligned with the stated purpose of media generation and packaging, the execution logic involves passing AI-generated strings (prompts and metadata) directly into shell commands, which presents a risk of command injection. No evidence of intentional malice or data exfiltration was found, and the inclusion of a 'SECURITY.md' suggests a focus on legitimate development.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run ffmpeg/ffprobe and create or overwrite generated audio files during the workflow.
The skill instructs the agent to run local media-processing commands. This is expected for audio transcoding, but it does execute local binaries and writes output files.
ffmpeg -i input.mp3 -b:a 320000 -ar 44100 -y temp.mp3
Use a dedicated project folder, verify input/output paths before transcoding, and make sure ffmpeg/ffprobe are trusted installations.
Unreleased lyrics, concepts, prompts, and possibly cover/video materials may be processed by MiniMax, and provider quota or billing may be used.
The workflow sends prompts and lyrics files to the MiniMax CLI/provider for music generation. This is central to the skill’s purpose, but it crosses a provider boundary.
minimax music generate ... --lyrics-file /path/to/lyrics.txt
Do not include confidential material unless you are comfortable sending it to the generation provider; review MiniMax account, privacy, and quota settings first.
Multiple sub-agents may continue generating and editing project files after the current chat turn ends.
The root workflow explicitly uses background sub-agents after sessions_yield. This is disclosed and scoped to album-production phases, but users should notice that work continues asynchronously.
子 agent 后台工作
Invoke the skill only when you want the full pipeline to proceed, and monitor or cancel background work if the project scope changes.
The skill may fail or use whatever local tools are available if those dependencies are missing or not trusted.
The registry metadata does not declare runtime binaries, while the visible instructions reference MiniMax CLI, ffmpeg/ffprobe, and zip. This is not suspicious by itself, but setup requirements are under-declared.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Install required tools from trusted sources and confirm versions before running the pipeline.