Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Text to Music
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward MakebestMusic music-generation skill that needs an API key and sends user prompts to that service.
Install only if you trust MakebestMusic with your song prompts and are comfortable providing an API key. Prefer a dedicated key you can revoke, and leave the API base at its default trusted MakebestMusic endpoint.
Static analysis
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI03: Identity and Privilege Abuse
Low
What this means
Your MakebestMusic key can be used to create music and may consume account quota or billing, and your prompt is sent to the provider.
Why it was flagged
The helper uses the configured API key as a bearer token and sends the user's music prompt to the MakebestMusic API base. This matches the skill purpose, but it is credentialed account access.
Skill content
const API_BASE = process.env.MBM_API_BASE || "https://api.makebestmusic.com";
const API_KEY = process.env.apiKey;
...
Authorization: `Bearer ${API_KEY}`,
...
prompt: prompt,Recommendation
Use a dedicated, revocable MakebestMusic key, avoid putting secrets in prompts, and do not override MBM_API_BASE unless you trust the endpoint.