ClawHub

Music Generation

v1.0.0

Generate AI music with optimized prompts, style control, and production-ready audio output.

5· 2.8k·15 current·15 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is legitimately a multi-provider music-generation guide and the included provider files (MusicGen, Stable Audio, Suno, Replicate, Mubert, Soundraw, Riffusion, Udio) align with the stated purpose. However, the registry metadata declares no required environment variables or credentials, while the provider files contain numerous examples using API keys and tokens (e.g., API_KEY, REPLICATE_API_TOKEN, STABILITY_API_KEY). That mismatch (no declared secrets but many example credentials) is disproportionate and unexplained. The SKILL.md also references unofficial APIs/wrappers for providers that state they have no official API (e.g., Suno unofficial endpoints), which deserves scrutiny.
Instruction Scope
The runtime instructions stay focused on music generation and prompting best practices. They direct the agent to consult the provider files for API usage. The provider files include code samples that perform network calls, open local files (e.g., open('melody.wav','rb')), poll webhooks, and show webhook URLs — all reasonable for a multi-provider integration. The instructions do not ask the agent to read arbitrary system secrets or unrelated files, but because they instruct the agent to follow provider usage, the agent could be directed to send user content or keys to external endpoints if invoked.
Install Mechanism
This is instruction-only with no install spec and no code files that run on install — lowest-risk install mechanism. Nothing is written to disk by an installer. The provider docs reference installing provider SDKs (pip installs) for local models, which is normal and expected, but these are not performed automatically by the skill.
!
Credentials
Although the skill metadata lists no required env vars, the provider files repeatedly reference multiple credentials (REPLICATE_API_TOKEN, STABILITY_API_KEY, generic API_KEY placeholders, Bearer tokens, webhook URLs). A user would need to supply multiple unrelated API keys to use the integrations. The SKILL.md does not declare or scope these credentials (no primaryEnv or required.env), so it's unclear how secrets are expected to be provided, stored, or used — this is a proportionality and transparency problem. Some provider entries point to unofficial third‑party APIs/wrappers (Suno via api.sunoapi.org, piapi.ai) which increase risk of credential leakage or unexpected data handling if used.
Persistence & Privilege
The skill does not request persistent/always-on presence (always: false). Autonomous invocation is permitted by default (disable-model-invocation: false), which is expected for skills. There is no evidence the skill requests to modify other skills or system-wide configuration. If combined with the environment concerns, consider restricting autonomous use until credentials/endpoints are verified.
What to consider before installing
This skill is a curator/guide for many music-generation providers and appears coherent for that purpose, but proceed cautiously: - Expect to provide API keys/tokens for providers you want to use (Replicate, Stability, Mubert, Soundraw, etc.). The skill's registry entry does not declare these env vars — ask the publisher which credentials it needs and how they are handled. - Some provider examples reference unofficial third‑party endpoints (e.g., Suno unofficial APIs, PiAPI). Verify the authenticity and privacy policies of any non-official endpoints before sending content or keys; prefer official vendor APIs. - Never paste high‑privilege secrets into chat. If you must provide keys, create scoped, limited API keys with usage/financial limits and revoke them after testing. - The skill may make network calls when invoked. If you want to limit risk, disable autonomous invocation for this skill or monitor outgoing requests/logs until you trust it. - For commercial use, double-check licensing terms for each model/provider (several entries note research or subscription licenses). If you want to install this skill, ask the maintainer to (1) list exactly which env vars/credentials are required, (2) indicate which endpoints are official, (3) explain whether the skill stores any tokens or sends data to third parties, and (4) provide an option to run in a local-only mode (e.g., MusicGen/Stable Audio local models) to avoid sending material to external services.

Like a lobster shell, security has layers — review code before you run it.

latestvk977rw3zs6358rra0gh4eggkyd810y3c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
OSLinux · macOS · Windows

Comments