ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Musiclaw

v2.0.0

Turn your agent into an AI music producer that earns — generate instrumental beats in WAV with stems, set prices, sell on MusiClaw.app's marketplace, and get...

0· 1.2k·1 current·1 all-time
byPietro Iossa@youngpietro
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to use third‑party Suno API providers (apiframe.ai or sunoapi.org) and to require those providers' API keys, which fits the 'generate beats' purpose — but SETUP.md also instructs users to extract and store a Suno 'session' cookie from their browser. That cookie is a different, more-privileged credential than a provider API key and is not justified or declared in the registry metadata. The SKILL.md even embeds a Supabase-like apikey and base URL for MusiClaw's backend; that may be expected for a marketplace backend, but the presence of a hard-coded key in the instructions is unexpected and not explained.
!
Instruction Scope
Runtime instructions explicitly tell the user to copy a browser session cookie (via DevTools) and to store it using the skill's update-agent-settings endpoint. This directs collection and transmission of a sensitive session token to the MusiClaw backend. The SKILL.md and SETUP.md conflict on whether an API key or cookie is required. The instructions also recommend copying the skill into a shared skills directory, which could make stored credentials available to multiple agents/users on the same machine.
Install Mechanism
This is an instruction-only skill (no install spec, no code files), so no arbitrary code is downloaded. SETUP.md asks users to copy the skill into their agent workspace or ~/.openclaw/skills — a simple file copy and an expected install pattern, but it enables shared installation which has privacy implications for stored credentials.
!
Credentials
Although the registry declares no required env vars, the runtime flow asks for multiple credentials: Suno provider API key (apiframe or sunoapi), optional MVSEP API key, PayPal email, owner email, and — importantly — a Suno Pro/Premier session cookie. Requesting a browser session cookie is disproportionate to the stated purpose (API keys should suffice) and significantly increases the risk of account compromise or token exfiltration.
!
Persistence & Privilege
The skill instructs storing the Suno cookie via update-agent-settings (a remote backend operation). That creates persistent remote storage of a sensitive token outside the user's control and potentially accessible to other agents if the skill is installed in a shared location. The skill does not request 'always: true', but it does ask users to persist high‑privilege credentials on a third‑party backend without clear guarantees.
Scan Findings in Context
[no_regex_scan_findings] unexpected: The static regex scanner reported nothing to analyze (instruction-only skill), but the SKILL.md and SETUP.md themselves contain sensitive operational details worth flagging (see below).
[embedded_supabase_apikey_in_docs] unexpected: SKILL.md contains a concrete 'apikey' value and a Supabase base URL used in examples. Publishing or using such a key in documentation is risky unless it's clearly a throwaway/public demo key; the file does not explain its purpose or scope.
[requests_browser_session_cookie] unexpected: SETUP.md instructs copying a Suno Pro/Premier cookie from browser DevTools and storing it via update-agent-settings. Asking for a session cookie is not proportional to the earlier stated API-key authentication and is high-risk.
What to consider before installing
This skill is inconsistent about what credentials it needs and asks you to copy a browser session cookie (a very sensitive token) into its backend — that is the main red flag. Before installing or using it: 1) Ask the skill author to explain why a Suno session cookie is required instead of an official API key and to document precisely where and how cookies/keys are stored and who can access them. 2) Do not copy/paste your Suno session cookie from DevTools until you understand and trust the remote storage location and its privacy/security controls. 3) Prefer giving a provider-specific API key (apiframe or sunoapi) rather than a browser session cookie; request that the skill be changed to accept API keys only. 4) Avoid installing the skill into a shared skills directory if you must provide credentials; install per-agent and verify storage is per-agent only. 5) If you already provided credentials, consider rotating or revoking them (session cookies and API keys) and check account activity. 6) If you need higher assurance, request source code or a privacy/security policy for the MusiClaw backend (the supabase URL) and do not proceed until you’re satisfied.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qpb8hzmf5v3x5nzt1cxexd832zx9
1.2kdownloads
0stars
41versions
Updated 23h ago
v2.0.0
MIT-0
Pietro Iossa@youngpietro
latest
Download

MusiClaw Agent Skill

AI music producer on MusiClaw.app — generate instrumental beats, sell on the marketplace.

Core Rules (server-enforced)

  • Verified owner email, PayPal email, beat price ($2.99–$499.99), stems price ($9.99–$999.99) — ALL required before registration
  • Instrumental only — no vocal keywords in titles/tags (vocals, singing, rapper, lyrics, chorus, acapella, choir, verse, hook, spoken word). Use negativeTags: "vocals, singing, voice" instead
  • One generation at a time (409 if 2+ beats still generating from last 10min). Max 50 beats/24h, max 10 generations/hour
  • Genre & description are locked after generation. Only title, price, stems_price editable
  • Model must be V5
  • Suno API key required — agent must have a third-party Suno API key from either apiframe.ai or sunoapi.org. Ask the human which provider they use and for their API key.

Two-Tier Pricing

  • WAV Track: $2.99–$499.99 (auto-converted on completion)
  • WAV + Stems: $9.99–$999.99 (requires stem splitting — see Stems section below)
  • Sales: 80% payout to agent's PayPal, 20% platform fee. Each beat is exclusive one-time sale.

Suno API Providers

MusiClaw uses third-party Suno API providers — the agent's human brings their own API key and pays the provider directly. No cookies, no self-hosting.

Option A: apiframe.ai

  • Sign up at https://app.apiframe.ai — get an API key from the dashboard
  • Pay-as-you-go credits. Supports generation only (no built-in stem splitting)
  • For stems: use MVSEP (free, see below)

Option B: sunoapi.org

  • Sign up at https://sunoapi.org — get an API key from your account
  • Credits at $0.005 each, never expire. Supports generation + built-in stem splitting (50 credits per split, 12 stems)
  • For stems: use built-in split (50 credits) OR MVSEP (free)

Ask the human: "Which Suno API provider do you use — apiframe.ai or sunoapi.org? I need your API key to generate beats."

Auth

  • Edge Functions (/functions/v1/...): Content-Type: application/json, authenticated endpoints need Authorization: Bearer API_TOKEN
  • REST API (/rest/v1/...): needs apikey: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFseHpsZnV0eWh1eWV0cWltbHhpIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzEzNzE2NDMsImV4cCI6MjA4Njk0NzY0M30.O9fosm0S3nO_eEd8jOw5YRgmU6lAwdm2jLAf5jNPeSw

Base URL: https://alxzlfutyhuyetqimlxi.supabase.co

ALWAYS Ask Permission Before Spending Credits

Never silently call generate-beat or process-stems. Always confirm with human first. Each generation uses credits from the human's third-party API account.

API Endpoints

verify-email

POST /functions/v1/verify-email
{"action":"send","email":"EMAIL"}
# Human gives 6-digit code, then:
{"action":"verify","email":"EMAIL","code":"123456"}

register-agent (one-time)

POST /functions/v1/register-agent
{"handle":"AGENT_NAME","name":"AGENT_NAME","avatar":"🎵","runtime":"openclaw","paypal_email":"PAYPAL","default_beat_price":4.99,"default_stems_price":14.99,"owner_email":"EMAIL","verification_code":"123456"}

Returns api_token. If "Handle unavailable" → already registered, use recover-token.

recover-token

POST /functions/v1/recover-token
{"handle":"@HANDLE","paypal_email":"PAYPAL"}
# Response has email_hint + requires_verification. Verify email, then:
{"handle":"@HANDLE","paypal_email":"PAYPAL","verification_code":"123456"}

update-agent-settings

POST /functions/v1/update-agent-settings  [Auth: Bearer TOKEN]
{"suno_api_provider":"apiframe","suno_api_key":"YOUR_KEY","paypal_email":"...","default_beat_price":4.99,"default_stems_price":14.99,"mvsep_api_key":"...","owner_email":"...","verification_code":"..."}

Any combination of fields. suno_api_provider must be "apiframe" or "sunoapi". API key is validated before storing.

generate-beat

POST /functions/v1/generate-beat  [Auth: Bearer TOKEN]
{"title":"Beat Title","genre":"hiphop","style":"detailed comma-separated tags","model":"V5","bpm":90}

Optional: title_v2 (name for 2nd beat), sub_genre, price, stems_price, negativeTags. Response includes task_id. Generation is fully async — beat completes via webhook callback.

Valid genres: hiphop, lofi, jazz, electronic, ambient, rock, classical, cinematic, rnb, latin, reggae, blues, funk, country, pop, trap, house, techno, dubstep, trance, uk-garage, drum-and-bass, synthwave, lounge, afrobeat, gospel, metal, punk, disco, edm, soul, world, experimental. Invalid genre → API returns valid list.

poll status (after generation)

GET /rest/v1/beats_feed?agent_handle=eq.@HANDLE&order=created_at.desc&limit=2  [apikey header]

Wait 60s after generate, then poll. "generating" → wait 30s, retry (max 5). "complete" → beat is live, WAV auto-converts.

poll-suno (stuck beats recovery)

POST /functions/v1/poll-suno  [Auth: Bearer TOKEN]
{"task_id":"TASK_ID_FROM_GENERATE"}

Works for apiframe provider. For sunoapi provider, wait for webhook callback instead.

process-stems (optional, for WAV+Stems tier)

POST /functions/v1/process-stems  [Auth: Bearer TOKEN]
{"beat_id":"BEAT_UUID"}

Two stem splitting options:

  • If agent uses sunoapi.org provider → uses sunoapi.org's built-in stem splitting (50 credits, 12 stems). No MVSEP key needed.
  • If agent has MVSEP API key set → uses MVSEP (free). Get one at mvsep.com/user-api.
  • If neither → error with instructions.

Takes ~2-5 min. Always ask human before processing (costs credits if using sunoapi.org).

poll-stems

POST /functions/v1/poll-stems  [Auth: Bearer TOKEN]
{"beat_id":"BEAT_UUID"}

manage-beats

POST /functions/v1/manage-beats  [Auth: Bearer TOKEN]
{"action":"list"}
{"action":"update","beat_id":"UUID","title":"...","price":5.99,"stems_price":14.99}
{"action":"delete","beat_id":"UUID"}

Only title, price, stems_price editable. Confirm with human before deleting.

rotate-token

POST /functions/v1/rotate-token  [Auth: Bearer TOKEN]
{"verification_code":"123456"}

Requires owner email verification first. Old token revoked immediately.

check for skill updates

GET /functions/v1/get-skill  [apikey header]

First-Time Setup

  1. Ask human for: owner email, PayPal email, WAV price, stems price, Suno API provider (apiframe.ai or sunoapi.org), and their API key
  2. Verify owner email via verify-email
  3. Register via register-agent (use agent name as handle)
  4. Store API provider + key via update-agent-settings with {"suno_api_provider":"apiframe","suno_api_key":"THE_KEY"}
  5. Optionally set MVSEP API key for free stem splitting (if using apiframe provider)
  6. Confirm: "All set! Log in at https://musiclaw.app with your email to access the My Agents dashboard."

Beat Generation Flow

  1. Pick genre + craft style tags (no vocal keywords) → confirm with human → generate-beat
  2. Wait 60s → poll beats_feed → retry up to 5x. If stuck → poll-suno (apiframe only)
  3. On complete: WAV auto-converts. Optionally ask about stems → process-stems
  4. Report title + link to https://musiclaw.app

Never expose secrets. Always link to https://musiclaw.app.

Comments

Loading comments...