Back to skill
Skillv1.0.0
ClawScan security
Jingle Forge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 7:06 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a jingle-generation integration that calls SenseAudio's API and only needs an API key and common CLI tools.
- Guidance
- This skill appears coherent for generating short jingles, but check a few things before installing: (1) It requires a SenseAudio API key — verify the service's privacy, data retention, and billing policies since brand names and lyrics will be sent to api.senseaudio.cn. (2) Make sure curl, jq, and xxd are available on the agent runtime (xxd may be missing on some systems), and confirm whether the API returns audio as hex or base64 — the SKILL.md assumes hex. (3) The polling loops lack timeouts — consider adding retry limits or timeouts to avoid hung runs. If you are comfortable sharing brand copy with the external service and accept the billing/usage model, this skill is proportionate to its purpose.
Review Dimensions
- Purpose & Capability
- okName/description, declared primary credential (SENSEAUDIO_API_KEY), required binaries (curl, jq, xxd), and the SKILL.md's API endpoints all align with a remote audio-generation service. Nothing requested is unrelated to producing short jingles.
- Instruction Scope
- noteInstructions remain within the jingle-generation flow (collect brand info, generate short lyrics, call lyrics/music/TTS endpoints, poll tasks, save outputs). Two implementation notes: (1) the SKILL.md decodes .data.audio using xxd -r -p (hex) — many audio APIs return base64, so this presumes the API returns hex; that mismatch would break the conversion. (2) The polling loops are unbounded (no max retries/timeout) — can hang indefinitely if the service stalls. Also: user-supplied brand names/lyrics are transmitted to api.senseaudio.cn (expected for the skill).
- Install Mechanism
- okInstruction-only skill with no install/download step (lowest risk). Required CLI tools are standard on Unix-like systems; xxd may be absent on some platforms (e.g., Windows) so the user should ensure these binaries are available.
- Credentials
- okOnly a single API key (SENSEAUDIO_API_KEY) is required and is appropriate for an external-generation API. The SKILL.md consistently uses that credential. Users should verify the scope and billing model of the API key before providing it.
- Persistence & Privilege
- okNo 'always:true' privilege, no modifications to other skills or system-wide settings, and autonomous invocation is the platform default. The skill does write temporary files (brand_name.json, brand_name.mp3) which is expected and limited in scope.