ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ACE Music - Free Suno Alternative Generate unlimited AI music for free using ACE-Step 1.5. Full songs with vocals, lyrics, any genre, any language. No subscription, no credits, no limits. The open-source Suno alternative, powered by ACE Music's free API.

v1.0.0

Generate AI music using ACE-Step 1.5 via ACE Music's free API. Use when the user asks to create, generate, or compose music, songs, beats, instrumentals, or...

2· 2.3k·18 current·19 all-time
by@fspecii
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, SKILL.md, API reference, and generate.sh all consistently implement an AI music-generation workflow against https://api.acemusic.ai using an API key. Requiring an API key and posting JSON to a music API is proportional to the stated purpose. However, the SKILL metadata claims no required env vars/credentials while the runtime docs and script clearly expect ACE_MUSIC_API_KEY (and optionally ACE_MUSIC_BASE_URL). This mismatch is a coherence issue.
!
Instruction Scope
SKILL.md instructs the agent/user to obtain and store an API key and to run scripts that perform network requests to api.acemusic.ai and write decoded audio files to disk — all expected for the stated task. But the instructions also tell the agent to open a browser to an external signup page and to store the key in an env var or TOOLS.md. More importantly, the runtime instructions and included script reference environment variables (ACE_MUSIC_API_KEY, ACE_MUSIC_BASE_URL) and call out use of python3 and curl, yet the skill's declared requirements list none. The instructions do not ask to read unrelated files or exfiltrate data, but the agent will transmit the API key to the external API host, which is expected but should be explicit in metadata.
Install Mechanism
No install spec is provided (instruction-only + a helper script), which is the lower-risk option. The included script will run curl and python3 at runtime — these are not installed by the skill and must exist on the host. Because there is no download/extract of third-party code, there is no high-risk install operation; still, the script will execute network calls and write files to disk when run.
!
Credentials
The skill requires an API key (ACE_MUSIC_API_KEY) to function, and may use ACE_MUSIC_BASE_URL, but the registry metadata declares no required env vars or primary credential. Declaring no credentials while the runtime requires a bearer token is an inconsistency that could confuse permission reviews or automated secrets audits. The number and scope of env vars requested (one API key) is appropriate for the task, but the missing declaration and the fact the skill will transmit that key to a third-party service are important to surface.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide changes. It simply contains an instruction and a helper script that runs ad-hoc API calls and writes audio files; this is normal for a user-invocable skill and does not grant elevated platform privileges.
What to consider before installing
This skill appears to be a straightforward wrapper around acemusic.ai, but it has three issues you should consider before installing: 1) Metadata mismatch: the skill metadata lists no required environment variables or primary credential, yet the SKILL.md and scripts require ACE_MUSIC_API_KEY (and optionally ACE_MUSIC_BASE_URL). Verify that you are comfortable providing a third-party API key and update any access controls or audit records accordingly. 2) Local dependencies: the helper script uses curl and python3. Ensure those binaries exist and are trusted on the host. Review the script (scripts/generate.sh) yourself — it decodes base64 audio returned by the remote API and writes files to disk. 3) Unknown origin: the skill's source and homepage are unknown. Confirm the legitimacy of acemusic.ai before sharing an API key or using the service. If you need stronger assurance, ask the publisher for a verified homepage, source repository, or a signed release. If you proceed: set up a dedicated (revocable) API key for this service, test in an isolated environment, and inspect the script and network calls to confirm they only contact api.acemusic.ai and do not send other local data elsewhere.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fqk3y7zqp2g0t89ye0ygr981f7c7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments