Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Byted Music Generate
v1.0.0Generate music using Volcengine Imagination API. Supports vocal songs, instrumental BGM, and lyrics generation. Use when the user wants to create songs, back...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description indicate Volcengine music generation and the code and docs implement HMAC-authenticated calls to Volcengine Imagination API — the requested capability matches the stated purpose. However, the registry metadata lists no required environment variables or primary credential while SKILL.md and scripts require VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY (incoherent metadata).
Instruction Scope
SKILL.md instructs running the included Python script and monitoring its stdout/stderr while it polls the provider. The runtime instructions and code are scoped to submitting tasks and polling results from Volcengine; they do not instruct reading unrelated files or exfiltrating data. The doc's requirement to 'periodically (every 10 seconds) read the terminal output' is operationally odd but not malicious.
Install Mechanism
There is no external install spec or remote download. The bundle contains a Python script and a simple requirements.txt (requests). No obscure installers or external URLs are fetched at install time, so installation risk is low.
Credentials
The only secrets used by the script are VOLCENGINE_ACCESS_KEY and VOLCENGINE_SECRET_KEY which are proportionate to calling Volcengine APIs. The concern is that the registry metadata declared no required env vars/credentials while both SKILL.md and the script require AK/SK — this mismatch could lead users to miss the need to provide credentials or to provide them without noticing. Also note supplying AK/SK grants API/billing access to your Volcengine account.
Persistence & Privilege
The skill does not request always:true, does not persist changes to other skills or system config, and does not create background services. It runs as an invoked script and does network calls to Volcengine only.
Scan Findings in Context
[no_findings] expected: Static pre-scan reported no injection signals. This is expected for straightforward Python code that performs HMAC-signed HTTP requests to the official Volcengine API host.
What to consider before installing
This skill implements Volcengine music generation and requires your Volcengine AccessKey (VOLCENGINE_ACCESS_KEY) and SecretKey (VOLCENGINE_SECRET_KEY). Before installing: (1) confirm the skill source and trustworthiness (registry metadata omitted the required credentials; ask the publisher to correct this); (2) use a dedicated, minimum-privilege API key (or an account with limited billing) rather than your primary account key; (3) be aware the script will submit tasks that may incur charges (billing modes exist); (4) inspect or run the included Python script in a sandboxed environment if you want to verify behavior yourself — the code appears to only call open.volcengineapi.com, sign requests with HMAC, poll task status, and return audio URLs. If you do not trust the publisher or cannot confirm the origin, do not provide your AK/SK.Like a lobster shell, security has layers — review code before you run it.
latestvk97ds106mk8p8wqxxs14hwxsc983n9h8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.