ACE-Step Music Generation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly aligned with local music generation, but some wrappers can turn crafted prompts into executed code and the local API/install paths need review.
Install only if you are comfortable reviewing and editing the scripts. Avoid the remote curl-to-bash installer, do not run the API server until the shell/code-injection issues are fixed, and replace or disable any external messaging targets you do not control.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted music prompt or output path could execute commands with the user's local account permissions.
The user-provided prompt and output path are inserted directly into a Python program that is then executed with python -c, so quotes or newlines in those fields can break out of data context and run arbitrary Python code.
script = f''' ... prompt="{prompt}" ... music.save("{output_path}") ... ''' ... result = self._run_in_venv(["-c", script])Do not build executable Python strings from prompts. Pass prompt and path as argv, JSON, or a temporary data file, and quote with json.dumps/repr plus strict path validation if dynamic code is unavoidable.
If the local API server is running, a crafted request could execute shell commands, not just generate music.
The HTTP generation endpoint accepts JSON fields and places them into a shell command string executed with shell=True, giving request parameters control over command text.
prompt = params.get('prompt') ... output_path = params.get('output_path') ... cmd = f''' ... print('Would generate: prompt={prompt}, duration={duration}, output={output_path}') ... ''' ... subprocess.run(cmd, shell=True, ...)Remove shell=True, call the generator with an argument list, validate duration and output paths, and treat all request fields as untrusted data.
While the server is running, other local agents or a web page in the user's browser could submit generation requests; combined with the command-injection issue, this increases risk.
The local API is intended for other agents but has no authentication or caller identity checks and explicitly allows cross-origin browser access.
self.send_header('Access-Control-Allow-Origin', '*') ... server = HTTPServer(('localhost', PORT), ACEStepHandler)Require a local auth token, restrict CORS to trusted origins, consider a Unix socket or localhost-only client with CSRF protection, and disable the server when not needed.
Following that install path would let the remote host execute arbitrary setup code on the user's Mac.
The documentation recommends piping a remote script from an external domain directly into bash, outside the reviewed package contents and without a checksum or pinned version.
curl -fsSL https://evomap.ai/assets/ace-step-deploy.sh | bash
Use the bundled reviewed script or an official upstream installer, pin commits/versions, publish checksums, and ask users to review scripts before execution.
The music service may remain running and reachable on host ports, consuming resources or being callable by unintended clients.
The Docker deployment can expose web/API ports and keep the service running persistently; this is purpose-related but important operational behavior.
ports:
- "7860:7860"
- "8000:8000" ... restart: unless-stoppedBind services to 127.0.0.1 when possible, add authentication, remove restart persistence unless desired, and stop the containers when not in use.
If enabled or copied into a real send workflow, notifications could go to a specific Feishu user rather than the installer's intended recipient.
The optional Feishu notification code contains a hard-coded recipient identifier, even though actual sending appears simulated or disabled in the provided code.
FEISHU_CHAT = "user:ou_232e435f3b7b35533206709e39cb19b5" # 主人
Replace hard-coded recipients with user configuration, declare required credentials, and require confirmation before sending messages or files externally.