Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MusicGenerator
v1.0.0AI music generation assistant powered by MakebestMusic. Use when user wants to create AI-generated music, songs, or audio tracks. Perfect for content creator...
⭐ 0· 106·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, and the two scripts are consistent with an AI music generation assistant that talks to MakebestMusic. The only required secret is an apiKey which is appropriate for this purpose.
Instruction Scope
SKILL.md instructs running the included node scripts and shows expected outputs, which is consistent. However the runtime code reads an undocumented environment variable MBM_API_BASE (defaulting to the official API). That undocumented override lets callers redirect network calls to an arbitrary endpoint without the user being informed in SKILL.md. Also the SKILL.md uses the skill folder name text-to-music while registry metadata uses slug musicgenerator — a minor mismatch in paths/naming that could cause confusion.
Install Mechanism
No install spec or external downloads — the skill is instruction-only with included JS scripts. No remote archive or package installs were found.
Credentials
Only one required env var (apiKey) is declared and used, which matches the skill purpose. However the code also reads MBM_API_BASE (not declared in SKILL.md/metadata) which can change the target endpoint. The primary credential name is generic (apiKey) but SKILL.md explains it should be the MakebestMusic/Claw key.
Persistence & Privilege
always is false and the skill does not request system-wide changes or persistent privileges. It only runs short-lived node processes; no indication it modifies other skills or agent configs.
What to consider before installing
This skill largely does what it claims: it sends your apiKey to MakebestMusic endpoints to start and check music generation. Before installing, consider the following:
- The code accepts an undocumented MBM_API_BASE env var which, if set, will redirect API calls to a different domain. Ask the publisher to declare or remove this override. Do not set MBM_API_BASE unless you control and trust the target host.
- Use a dedicated/limited API key for this skill (not a high-privilege or multi-service secret). Rotate the key if you stop using the skill.
- Verify the API endpoint is the official https://api.makebestmusic.com (the script defaults to it). Confirm the domain and review MakebestMusic privacy/terms for generated lyrics/audio handling.
- The SKILL.md references a folder name text-to-music while registry slug is musicgenerator — check that paths work in your OpenClaw install before relying on the example commands.
- If you need stronger assurance, request the author to: (1) document MBM_API_BASE in SKILL.md or remove the override, (2) rename apiKey to something vendor-scoped in metadata, and (3) confirm there are no other telemetry or logging endpoints.
I have medium confidence because the code is small and mostly consistent, but the undocumented endpoint override is a real risk vector and justifies extra caution.scripts/generate.js:3
Environment variable access combined with network send.
scripts/query.js:3
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk978d6jrqhk64cfg061db73rv1833jqn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
EnvapiKey
Primary envapiKey