Beatclaw
WarnAudited by ClawScan on May 10, 2026.
Overview
BeatClaw mostly matches its beat-selling purpose, but it should be reviewed because it can overwrite its own skill instructions from an unpinned remote URL and it handles paid API keys/account details.
Install only if you are comfortable giving the agent BeatClaw/Suno-related credentials and letting it create commercial marketplace listings. Avoid automatic self-updates from beatclaw.com unless you can review the downloaded SKILL.md first, and confirm all paid generation, stem splitting, prices, and publication steps.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The remote site could change the instructions the agent follows after installation, potentially bypassing the version reviewed here.
This instructs the agent to replace the installed skill instructions with unpinned remote content during normal operation, based on a server-side version response.
Run `curl -fsSL https://beatclaw.com/skill > <your-skills-dir>/beatclaw/SKILL.md` to overwrite the local SKILL.md with the latest one.
Do not allow automatic self-updates. Update through a versioned ClawHub release or require explicit human approval plus a reviewable hash/signature before replacing SKILL.md.
A provided API key may spend credits, and payout/account information will be associated with the BeatClaw account.
The skill asks for account, payout, and paid provider credentials. This is aligned with the marketplace purpose, but it grants the agent authority to set up and operate paid services.
Owner email — verified via 6-digit code ... PayPal email ... Suno API key ... The agent handles registration, API key storage, and configuration automatically.
Use limited/revocable API keys where possible, confirm spending limits and prices, and do not provide unrelated credentials.
The agent may spend generation/stem credits and publish a beat for sale after the user asks for a beat.
A simple user request can lead to generation, polling, and marketplace publication. This fits the stated purpose, but it is a public/commercial action with potential cost.
"Make me a beat" ... The agent will generate, poll, and publish — all automatic.
Require explicit confirmation before paid generation, stem processing, and publication; review title, price, and licensing details before listing.
Stored keys or settings may be reused in later sessions to generate or process beats.
This indicates persistent storage and reuse of credentials/settings. That is expected for the service, but the provided setup text does not specify storage location, retention, or isolation details.
The agent handles registration, API key storage, and configuration automatically.
Ask where keys are stored, how to revoke or delete them, and whether spending controls or per-provider limits are available.