ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Music Research (Crate)

v0.2.3

AI-powered music research with 92+ tools across 17 sources — MusicBrainz, Bandcamp, Discogs, Genius, Last.fm, Wikipedia, and more. Influence tracing, track v...

0· 393·0 current·0 all-time
byTarik Moody@tmoody1973
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (music research across many sources) aligns with the declared requirements: it needs npx to run the crate-cli and an ANTHROPIC_API_KEY which plausibly powers LLM reasoning inside the CLI. Optional API keys for individual music services are listed as optional in the SKILL.md and are coherent with the described capabilities.
Instruction Scope
The SKILL.md instructs the agent to add an MCP server entry that launches `npx -y crate-cli --mcp-server` and exposes many tools over stdio; it also documents local SQLite caches (collection, playlist, influence cache). The instructions do not ask the agent to read unrelated system files or secrets, but they do instruct running an external CLI that will access networks and persist local caches and configuration. That means queries and data may be transmitted to external services and persisted locally.
!
Install Mechanism
There is no install spec, but runtime usage relies on `npx` to download and execute `crate-cli` from the npm registry with no pinned version in the provided example. This effectively executes remote code on the agent host at runtime (supply-chain risk). The skill will therefore cause dynamic code to be fetched and run, which increases risk compared to instruction-only behavior that uses only built-in binaries.
Credentials
The one required environment variable (ANTHROPIC_API_KEY) is plausible if the CLI uses Anthropic's models for reasoning. However, the SKILL.md instructs passing that key into the spawned process; that gives the remote-executed CLI full access to the key and any requests it makes to Anthropic. Many additional optional API keys are listed for other services — these are optional but sensitive if provided.
Persistence & Privilege
always:false (good), but the instructions ask the user/agent to add a persistent MCP server entry and the CLI creates local SQLite caches (influence graph, collection, playlists). This results in long-lived configuration and locally stored data; not inherently malicious, but a persistence/privacy consideration.
What to consider before installing
This skill is coherent with its stated purpose, but it will cause your agent to run `npx crate-cli` (unversioned) and hand that process your ANTHROPIC_API_KEY. That means: (1) arbitrary code from the npm registry will be executed on your environment at runtime, (2) the crate-cli process can send queries and any user data to external services (including Anthropic) and persist data locally in SQLite. Before installing: verify the crate-cli package source and version (prefer a pinned version), inspect the crate-cli code or its GitHub repo, consider running it in an isolated environment (container), avoid providing sensitive/high-privilege keys unless you trust the package, and prefer a workflow where you manually install and review the CLI rather than letting npx fetch/execute it automatically.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎵 Clawdis
Binsnpx
EnvANTHROPIC_API_KEY
Primary envANTHROPIC_API_KEY
latestvk971gtn4se7c43mxm9aray6f6d81tdvs
393downloads
0stars
1versions
Updated 5h ago
v0.2.3
MIT-0
Tarik Moody@tmoody1973
latest
Download

Music Research with Crate

You have access to Crate's music research tools via MCP. These tools connect to 17 real music databases and 26 publications. Use them to answer music questions with verified, cited data.

MCP Server Setup

Add Crate as an MCP server in your configuration:

{
  "mcpServers": {
    "crate": {
      "command": "npx",
      "args": ["-y", "crate-cli", "--mcp-server"],
      "env": {
        "ANTHROPIC_API_KEY": "${ANTHROPIC_API_KEY}"
      }
    }
  }
}

This exposes all active tools over stdio. Additional API keys unlock more servers (see Optional API Keys below).

Research Patterns

Artist Research

Cross-reference multiple sources for comprehensive artist profiles:

  1. musicbrainz_search_artist — canonical artist ID, discography, relationships
  2. genius_get_artist — bio, aliases, social links, annotations
  3. lastfm_get_artist_info — listening stats, similar artists, tags
  4. discogs_search_artist — label history, pressings, catalog numbers
  5. bandcamp_search — independent releases, merch, direct-support links
  6. wikipedia_search — biographical context, career timeline

Always start with MusicBrainz for the canonical ID, then fan out to other sources.

Influence Tracing

Discover how artists connect through published music criticism:

  1. Use influence_trace_influence to search 26 publications for co-mentions
  2. Results include publication name, critic byline, date, and URL for every connection
  3. Use influencecache_get_path for cached paths (instant BFS results)
  4. Use influencecache_get_neighbors to explore an artist's immediate connections
  5. The influence graph grows with every query — cached in local SQLite

Always cite the publication and review when presenting influence connections. Every claim needs a URL.

Track Verification

CRITICAL: Never invent track names. Always verify tracks exist before presenting them.

  1. bandcamp_get_artist_tracks — primary source for independent artists
  2. musicbrainz_search_recording — primary source for mainstream releases
  3. youtube_search — fallback verification source
  4. If a track cannot be verified against any real database, do not include it

Vinyl & Collecting

  1. discogs_get_release — pressing details, labels, catalog numbers, condition notes
  2. discogs_get_master_release — all versions/pressings of an album
  3. discogs_get_marketplace_stats — current market prices and trends
  4. collection_add_record / collection_search — manage the user's personal collection

Playlist Building

  1. Research tracks using the sources above — verify every track exists
  2. playlist_create — create a new playlist
  3. playlist_add_track — add verified tracks with source URLs
  4. playlist_export_m3u — export to M3U format for external players
  5. Never include a track that hasn't been confirmed against a real database

Publishing

Share research as public web pages or blog posts:

  1. telegraph_create_page — instant shareable page, no account needed
  2. telegraph_create_index — create a living index of all published pages
  3. tumblr_create_post — post to the user's Tumblr blog with markdown formatting
  4. tumblr_tag_post — auto-tag posts with artist names and genres
  5. Always include citations and source links in published research

Critical Rules

  • Every claim must be backed by a real data source — never hallucinate facts, tracks, or connections
  • Influence connections require full attribution: publication name, critic, date, and URL
  • Verify tracks against Bandcamp, MusicBrainz, or YouTube before including in any list
  • Cross-reference facts across multiple sources when possible
  • The influence system searches 26 publications including Pitchfork, The Wire, Resident Advisor, Stereogum, The Guardian, NPR, NME, Bandcamp Daily, and more

Available Servers

ServerToolsEnv RequiredDescription
MusicBrainz6Artist/release/recording metadata
Bandcamp7Independent music, artist tracks
Wikipedia3Biographical context
YouTube6Video search, audio playback
RadiovariesInternet radio streaming
NewsvariesMusic news via RSS
Collection5Local record collection (SQLite)
PlaylistvariesPlaylist management (SQLite)
Influence Cache8Local influence graph (SQLite)
Telegraph5Anonymous publishing
Last.fm7LASTFM_API_KEYScrobbles, similar artists
Genius8GENIUS_ACCESS_TOKENLyrics, annotations
Discogs9DISCOGS_KEY, DISCOGS_SECRETVinyl catalog, marketplace
Web Search4TAVILY_API_KEY or EXA_API_KEYPublication search
Influence3TAVILY_API_KEY or EXA_API_KEYLive influence tracing
Tumblr5TUMBLR_CONSUMER_KEY, TUMBLR_CONSUMER_SECRETBlog publishing
Memory3MEM0_API_KEYPersistent user preferences

Optional API Keys

Set these environment variables to unlock additional servers:

LASTFM_API_KEY        — Last.fm listening stats and similar artists
GENIUS_ACCESS_TOKEN   — Lyrics, annotations, and artist bios
DISCOGS_KEY           — Vinyl catalog, labels, and marketplace
DISCOGS_SECRET        — Required with DISCOGS_KEY
TAVILY_API_KEY        — Web search across 26 music publications
EXA_API_KEY           — Neural semantic search for influence tracing
YOUTUBE_API_KEY       — Improved YouTube search results
TUMBLR_CONSUMER_KEY   — Publish research to your Tumblr blog
TUMBLR_CONSUMER_SECRET — Required with TUMBLR_CONSUMER_KEY
MEM0_API_KEY          — Persistent memory across sessions

Only ANTHROPIC_API_KEY is required. All other servers are optional.

Comments

Loading comments...