ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Generate ai Music

v1.0.1

AI music generation assistant powered by MakebestMusic. Use when user wants to create AI-generated music, songs, or audio tracks. Perfect for content creator...

0· 136·0 current·0 all-time
byMakeBestMusic@sthk-mbm·duplicate of @sthk-mbm/texttomusic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (AI music generation) aligns with the code and SKILL.md. The only required secret is 'apiKey', which the scripts use as a Bearer token to call Makebestmusic endpoints. No unrelated services, binaries, or config paths are requested.
Instruction Scope
SKILL.md limits runtime behavior to running the included node scripts, prompting the user for a description when needed, and checking status. It does not instruct reading other files, scanning system state, or exfiltrating data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only skill with two small JS scripts). Nothing is downloaded from arbitrary URLs or written to non-standard system locations.
Credentials
Only 'apiKey' is required and declared as primaryEnv, which is appropriate for a service API. The code also respects an optional MBM_API_BASE env var (defaults to api.makebestmusic.com); this allows redirecting the endpoint and should only be set to trusted values. No other sensitive env vars or unrelated credentials are requested.
Persistence & Privilege
Skill is not 'always: true' and does not request system-wide config changes. It runs as a user-invoked/autonomously-invokable skill (the platform default) and does not modify other skills' settings.
Assessment
This skill appears coherent: it only needs a MakebestMusic apiKey and calls the provider's API to create and query music jobs. Before installing, confirm you trust MakebestMusic (the skill's source/homepage metadata is missing), store the apiKey securely, and avoid setting MBM_API_BASE unless you trust the alternate endpoint (it would redirect where your key and prompts are sent). If you have doubts about provenance, review the small scripts (they are included and readable) or only enable the skill as user-invocable rather than globally automatic.
scripts/generate.js:3
Environment variable access combined with network send.
scripts/query.js:3
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976d62ayyfk98yfknv08q88t5832en5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
EnvapiKey
Primary envapiKey

Comments