Songmaker
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill coherently uses a SenseAudio API key and curl commands to generate lyrics and music, with expected privacy and account-usage considerations.
This appears safe to install for its stated purpose. Before using it, make sure you trust SenseAudio with the prompts and lyrics you submit, use an appropriate API key, and watch for account quota or billing implications.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Song and lyric generation requests may use the user's SenseAudio account permissions or credits.
The skill requires and uses a SenseAudio API key. This is expected for the provider integration, but actions may be performed against the user's SenseAudio account or quota.
requires:\n env:\n - SENSEAUDIO_API_KEY ... -H "Authorization: Bearer $SENSEAUDIO_API_KEY"
Use a dedicated API key if available, monitor account usage, and rotate or revoke the key if it is no longer needed.
Private lyrics, prompts, or song ideas may be processed by the external service.
The skill sends user prompts and lyrics to an external SenseAudio API endpoint. This is central to the feature, but it means submitted content leaves the local environment.
curl -s -X POST "https://api.senseaudio.cn/v1/song/lyrics/create" ... -d "{\"prompt\": \"<USER_PROMPT>\"Avoid submitting confidential or sensitive material unless the user is comfortable with SenseAudio's handling of that data.
Malformed prompts or lyrics could cause failed requests if not encoded safely by the agent.
The workflow relies on shell commands with user-provided prompt, lyric, title, and style values inserted into request bodies. This is purpose-aligned, but values should be escaped or constructed safely.
LYRICS_RESP=$(curl -s -X POST ... -d "{\"prompt\": \"<USER_PROMPT>\", \"provider\": \"sensesong\"}")Ensure user-provided text is JSON-escaped when building curl request bodies, and confirm generated lyrics before creating the final song.