Topmediai AI Music Generator

PassAudited by ClawScan on May 1, 2026.

Overview

This skill coherently generates music through the TopMediai API, with the main things to notice being API-key use, external prompt submission, and local Python helper execution.

Install only if you are comfortable providing a TopMediai API key and sending your prompts or lyrics to TopMediai. Keep the .env file private, watch for quota or billing impact, and consider verifying the publisher/source because the registry metadata does not provide a homepage or source URL.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Prompts, lyrics, task IDs, and song IDs may be sent to TopMediai, and generation or MP4 actions may consume account quota.

Why it was flagged

The skill exposes external API operations and polling; these are disclosed and directly aligned with the advertised music-generation purpose.

Skill content

- Generate lyrics: `POST {BASE_URL}/v1/lyrics`
- Submit generation: `POST {BASE_URL}/v3/music/generate`
- Query tasks: `GET {BASE_URL}/v3/music/tasks?ids=<id[,id2,...]>`

Recommendation

Use prompts you are comfortable sending to TopMediai, and monitor any paid quota or credits tied to the API key.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone who can read or misuse the configured key could act against the linked TopMediai account within that key's permissions.

Why it was flagged

The helper code uses a TopMediai API key as an account credential. This is necessary for the stated API integration and no unrelated credential use is shown.

Skill content

DEFAULT_KEY = os.environ.get("TOPMEDIAI_API_KEY") ... return {"x-api-key": key, "Content-Type": "application/json"}

Recommendation

Keep the .env file private, use a dedicated key if possible, and rotate the key if it may have been exposed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users cannot independently confirm from the metadata that the package comes from the claimed provider.

Why it was flagged

The artifact set includes full source, but the registry metadata does not provide an external source or homepage for provenance verification.

Skill content

Source: unknown
Homepage: none

Recommendation

Review the included source, verify the publisher if that matters to you, and install dependencies only in a trusted Python environment.