Back to skill
Skillv1.0.1
ClawScan security
Rapper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 3:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose (SenseAudio rap/song generation) and only ask for the expected API key; there are no installs or unrelated permissions requested.
- Guidance
- This skill appears to do exactly what it says: call SenseAudio endpoints to generate or poll for lyrics and songs, using the SENSEAUDIO_API_KEY stored in an environment variable. Before installing: 1) Confirm you trust SenseAudio and the listed homepage (the skill references a nightly.senseaudio.cn site which may be a pre-release/staging domain). 2) Provide an API key with least privilege (rotate/revoke it if you later distrust the skill). 3) Never paste your API key into free-form chat; let the platform store it in the designated secret area. If you need higher assurance, test with a limited-scope/test API key and monitor network calls and usage in your SenseAudio dashboard.
Review Dimensions
- Purpose & Capability
- okThe skill is explicitly for SenseAudio rap/hip-hop/song generation and only declares SENSEAUDIO_API_KEY as a required credential. No unrelated binaries, credentials, or configuration paths are requested, which is proportionate to the described functionality.
- Instruction Scope
- okSKILL.md restricts actions to calling the documented SenseAudio endpoints, polling async jobs, and parsing returned fields. It does not instruct reading other system files, harvesting extra environment variables, or sending data to third-party endpoints beyond the SenseAudio API. It also includes safe-parsing and minimal-request guidance.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk or fetched at install time.
- Credentials
- okOnly one environment variable, SENSEAUDIO_API_KEY, is required and is the correct credential for the described API calls. No additional or unrelated secrets are requested.
- Persistence & Privilege
- okThe skill does not request always:true, has no install actions, and does not modify other skills or global agent settings. It operates only when invoked and does not demand persistent system privileges.