Crazyrouter Music Gen

PassAudited by ClawScan on May 10, 2026.

Overview

This skill is coherent for generating music through Crazyrouter, but it requires an API key and sends your prompt, lyrics, and title to that external service.

Before installing, confirm you trust Crazyrouter with your prompts and lyrics, set CRAZYROUTER_API_KEY only in a trusted environment, make sure CRAZYROUTER_BASE_URL is not unexpectedly overridden, and save generated audio to a non-sensitive output path.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Your Crazyrouter API key may authorize paid or account-bound requests; if CRAZYROUTER_BASE_URL is set unexpectedly, the request could go to a non-default endpoint.

Why it was flagged

The script sends the Crazyrouter API key as bearer authentication to the configured API endpoint. This is expected for the stated service, but the optional base URL override and the credential are not fully reflected in registry metadata.

Skill content

const API_BASE = process.env.CRAZYROUTER_BASE_URL || "https://crazyrouter.com/v1"; ... headers: { "Authorization": `Bearer ${apiKey}`, "Content-Type": "application/json" }

Recommendation

Set CRAZYROUTER_API_KEY only in a trusted environment, verify CRAZYROUTER_BASE_URL is unset or points to a trusted Crazyrouter-compatible endpoint, and rotate the key if it may have been exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Any private text included in the prompt, lyrics, or title will be shared with the external music-generation provider.

Why it was flagged

The user prompt, optional lyrics, and optional title are sent to Crazyrouter as model input, which is central to generating the music.

Skill content

body: JSON.stringify({ model: args.model, messages: [{ role: "user", content: userContent }] })

Recommendation

Do not include secrets, private credentials, or sensitive personal information in music prompts or lyrics unless you are comfortable sending them to Crazyrouter.

Low

#ASI02: Tool Misuse and Exploitation

What this means

The skill can overwrite or create the output file path chosen for the generated audio, but no broad file access or automatic execution is shown.

Why it was flagged

When an output path is provided, the script downloads the audio URL returned by the provider and writes it to the requested local file.

Skill content

const audioResponse = await fetch(url); ... await writeFile(args.output, buffer);

Recommendation

Use a clear, safe output path for generated audio and avoid pointing it at important existing files.