Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WeryAI Music Generator
v0.1.2Generate WeryAI music, vocal songs, or instrumental tracks through the WeryAI music API. Use when the user needs music generation, song generation, instrumen...
⭐ 0· 106·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (WeryAI music generation) matches required items: Node runtime and WERYAI_API_KEY/WERYAI_BASE_URL. The scripts implement submit, wait, status, and balance checks which are expected for a music-generation client.
Instruction Scope
SKILL.md and AGENTS.md instruct the agent to run the provided node scripts. The runtime will read local files when a user supplies local reference_audio and automatically upload them to the WeryAI server — this is coherent with the stated feature (reference-audio guided generation) but is a meaningful capability (reading local files and sending them over the network) that users should be aware of.
Install Mechanism
This is instruction- and script-based with no installation download step. No remote installers or third-party package installs are present in the manifest; only Node.js (>=18) is required.
Credentials
Only WERYAI_API_KEY (primary) and WERYAI_BASE_URL are required, which is proportional for an API client. However, the skill allows overriding the base URL and includes logic that will upload local files to ctx.baseUrl; combined with the special WERYAI_ALLOW_INSECURE_UPLOAD flag (which suppresses a warning), an attacker or misconfiguration could redirect uploads/API calls to an untrusted host and thereby leak local files or the API key via outbound requests. The SKILL.md documents this override and warns to only set a trusted host.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system settings. It runs as user-invoked node scripts and does not persist credentials to the repository (SKILL.md explicitly warns not to save the API key to repo).
Scan Findings in Context
[no_pre-scan_findings] expected: Static pre-scan reported no injection signals. The package contains many vendor and utility scripts; absence of findings is plausible and not sufficient to imply safety on its own.
Assessment
This package appears to be a legitimate WeryAI client: it needs Node and your WERYAI_API_KEY and (optionally) a base URL. Before installing or running in a sensitive environment: 1) Do not set WERYAI_BASE_URL to an untrusted host — the code will send your API key in Authorization headers and may upload local files to that endpoint. 2) Be cautious when providing local file paths for reference_audio: the scripts will read those files and upload them to the API host. 3) Avoid setting WERYAI_ALLOW_INSECURE_UPLOAD unless you fully trust the target host. 4) Review the scripts (especially uploadLocalFileToPublicUrl) if you need higher assurance; run a dry-run first (the skill supports --dry-run) and use balance check to confirm credentials. If you must use in automated contexts, restrict the agent runtime permissions and ensure the environment variables point to the official api.weryai.com endpoint.scripts/vendor/weryai-core/upload.js:147
Environment variable access combined with network send.
scripts/vendor/weryai-core/upload.js:131
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97407mvnnbkqrmtna1qf9sefh83g6er
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎵 Clawdis
Binsnode
EnvWERYAI_API_KEY, WERYAI_BASE_URL
Primary envWERYAI_API_KEY