Gen Music

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears purpose-aligned for generating music, but users should only use a trusted ACE-Step backend because prompts, lyrics, and optional API credentials may be sent there.

Before installing, confirm that you trust the ACE-Step-compatible backend URL you plan to use, especially if it is remote. Do not send private lyrics or sensitive prompts to an endpoint you do not control, and use a scoped API key if authentication is needed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI02: Tool Misuse and Exploitation

What this means

The skill can create local audio files and interact with the configured music backend when invoked.

Why it was flagged

The skill relies on a local Python helper to submit music generation jobs and save output files. This is expected for the stated purpose, but users should recognize that it performs network-backed generation and local file writes.

Skill content

python3 {baseDir}/scripts/generate.py --prompt "playful beach pop song about rising waves"

Recommendation

Use the provided commands only for intended music-generation requests, and choose an output directory where generated audio files are safe to store.

Low

#ASI03: Identity and Privilege Abuse

What this means

If you configure an API key, the skill may authenticate to the selected backend on your behalf.

Why it was flagged

The skill supports an optional API key for the ACE-Step-compatible backend. This is purpose-aligned, but it means the backend credential may be used by the helper script.

Skill content

Supported env vars:

- `ACESTEP_API_BASE_URL`
- `ACESTEP_API_KEY`
- `ACESTEP_OUTPUT_DIR`

Recommendation

Use a backend-specific, least-privilege API key and avoid configuring secrets for untrusted or unnecessary remote endpoints.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Prompts and lyrics can be transmitted to the configured ACE-Step-compatible service.

Why it was flagged

The script sends the user's prompt and lyrics to the configured backend, which may be local or remote. This data flow is disclosed and necessary for music generation.

Skill content

submit_payload = {
        "model": model or DEFAULT_MODEL,
        "messages": build_chat_messages(prompt, lyrics, duration),
    }
    response = request_json(
        "POST",
        f"{base_url}/v1/chat/completions",

Recommendation

Prefer a local or trusted backend for private lyrics or sensitive prompts, and confirm the base URL before using a remote endpoint.