Lyric Flip
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your theme, prompt content, approved lyrics, and song-generation requests may be sent to SenseAudio, and API calls may consume account quota or credits.
The core workflow uses curl to call an external SenseAudio API with user-derived lyric prompts; this is disclosed and purpose-aligned, but it is still an external tool/API action.
LYRICS_RESP=$(curl -s -X POST "https://api.senseaudio.cn/v1/song/lyrics/create" ... -d "{\"prompt\": \"<PROMPT>\", \"provider\": \"sensesong\"}")Review the skeleton and lyrics before proceeding, avoid sending sensitive text, and ensure inserted prompt or lyric text is safely JSON-encoded rather than blindly pasted into shell commands.
The skill can make authenticated SenseAudio requests under your account, which may affect usage limits or billing depending on the provider account.
The skill declares and uses a SenseAudio API key as a bearer token for the provider's lyric and music APIs; this is expected for the integration and not shown being leaked or reused elsewhere.
required_credentials:
- name: SENSEAUDIO_API_KEY
description: API key from https://senseaudio.cn/platform/api-key
...
-H "Authorization: Bearer $SENSEAUDIO_API_KEY"Use a dedicated SenseAudio API key with the minimum needed access, keep it out of chat messages, and revoke or rotate it if you no longer use the skill.