ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Music

v1.0.1

AI music generation assistant powered by MakebestMusic. Use when user wants to create AI-generated music, songs, or audio tracks. Perfect for content creator...

0· 142·0 current·0 all-time
byMakeBestMusic@sthk-mbm·duplicate of @sthk-mbm/texttomusic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the two scripts all target MakebestMusic's API and only require a single apiKey credential — this matches the stated purpose of generating music.
Instruction Scope
Runtime instructions only run the included node scripts and return or show status/links from the MakebestMusic API. The scripts do not read unrelated files or attempt to transmit data to other services beyond the configured API endpoint.
Install Mechanism
No install spec; skill is instruction-only with small JS scripts. No downloads or archive extraction are performed by the skill itself — low installation risk.
Credentials
The skill declares a single required credential (apiKey), which is appropriate. One minor point: both scripts optionally read MBM_API_BASE from the environment to override the API base URL, but MBM_API_BASE is not listed in the declared requirements. This override is commonly used for testing but could be misused if an environment variable were maliciously set to redirect requests to an attacker-controlled endpoint; consider ensuring MBM_API_BASE is not set to an untrusted host.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request system-wide configuration changes or access to other skills' credentials.
Assessment
This skill appears to do what it claims: it sends prompts and your apiKey to MakebestMusic and reports back status/links. Before installing: 1) Confirm you trust makebestmusic.com and the key you generate (review their privacy/tos if needed). 2) Treat the apiKey like a secret — only grant it to this skill and consider whether the provider lets you scope or rotate keys. 3) Ensure no untrusted MBM_API_BASE environment variable is set on your system (it can redirect requests to another host). 4) If you need higher assurance, inspect the scripts yourself or run them in an isolated environment to observe network calls.
scripts/generate.js:3
Environment variable access combined with network send.
scripts/query.js:3
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783c3f1sg8h4nkdh868802c1833sg2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvapiKey
Primary envapiKey

Comments