← Back to Skills Marketplace
a64307410

Release

by Jiang Swei · GitHub ↗ · v1.0.6 · MIT-0
cross-platform ⚠ suspicious
332
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install muse-ai
Description
AI 音乐创作助手 — 通过对话生成原创歌曲、纯音乐和 BGM。 当用户想要创作、生成、制作任何形式的音乐时使用此技能。 包括:生成带人声的歌曲、写歌词、作曲编曲、制作纯音乐/BGM/配乐,或将文字变成歌曲。 当用户提到具体音乐风格(如"来首民谣""做首说唱")时也应触发。 支持三种模式:灵感模式(一句话生成)、...
Usage Guidance
What to check before installing: - Understand the auth flow: the skill asks users to paste a JWT-like token into the chat to register/verify; avoid pasting long-lived or sensitive tokens into conversation logs if you want them private. Consider creating a dedicated/throwaway account or short-lived token for use with this skill. - Backend domain: all network calls go to https://skill-api.muse.top (consistent across scripts). If you plan to use this skill, review that domain and the hosted service's privacy policy before giving credentials. - Local device fingerprinting: the skill computes a device id from hostname/MAC/username, hashes it, stores it in ~/.muse/device_id, and sends the hash as X-Device-Id. This is used server-side for dedup/rate-limiting but is a fingerprinting vector — be aware if you need stronger anonymity. - Inspect files before running install: the included install.sh copies files into CLI skill directories and creates ~/.muse. You can open and audit scripts locally (they use only Python stdlib and urllib). Run install in a controlled environment or sandbox if you have doubts. - Removal: uninstall removes the skill directory but leaves ~/.muse (install.sh documents how to fully delete the data: rm -rf ~/.muse). - If you are privacy-sensitive, either avoid pasting tokens into chat, use a dedicated/limited account, or ask the skill author for an OAuth/browser-based flow that avoids pasting secrets into conversation logs. Overall: the package appears internally coherent with its stated purpose; the main concerns are privacy-sensitive choices (token pasted into chat, local device fingerprinting) rather than evidence of malicious behavior.
Capability Analysis
Type: OpenClaw Skill Name: muse-ai Version: 1.0.6 The skill bundle contains a high-risk command injection vulnerability in SKILL.md, where the AI agent is instructed to execute a bash command using unsanitized user input (the JWT token) via `scripts/register.py verify --token {content}`. Additionally, `scripts/muse_api.py` performs system fingerprinting by collecting the local username, hostname, and MAC address to generate a device ID (X-Device-Id) for API requests to `https://skill-api.muse.top`. While these behaviors are functionally linked to the music generation service, the combination of system tracking and the potential for remote code execution via the agent's command-line interface poses a security risk.
Capability Assessment
Purpose & Capability
The skill's declared purpose (dialog-driven music/song/BGM generation) matches the included scripts and SKILL.md: scripts call a single backend (https://skill-api.muse.top) for styles, lyrics, generation and polling. Persisting a token, task_id and device_id under ~/.muse is coherent with needing login and asynchronous task tracking. No unrelated cloud credentials, binaries, or system config paths are requested.
Instruction Scope
Runtime instructions direct the agent to cd into the skill directory and run the included Python scripts (member-info, generate, query). They also implement a flow that asks the user to paste a JWT-like token into the chat (detected by messages starting with 'eyJ') which the scripts then verify and save to ~/.muse/token. Running those scripts and reading/writing ~/.muse files is expected, but prompting users to paste an auth token into the chat means secrets will appear in the conversation stream unless the agent/user takes care to avoid logging — this is a privacy/usability concern rather than an incoherence.
Install Mechanism
There is an install.sh included which copies the provided files into a skill directory for supported CLIs; it does not download arbitrary code from unknown servers during install. README suggests a git clone URL, but the packaged install script as provided is local and performs file copies, Python checks, and basic migration. No extract-from-remote or URL-shortener downloads were found in the install script.
Credentials
The skill requests no environment variables, but it does read system identifiers (hostname, MAC via uuid.getnode(), and login) to generate a persistent device id which it stores in ~/.muse/device_id and sends as X-Device-Id to the service. While the code hashes these values before storage/transmission, collecting MAC/username is privacy-sensitive and could be used to fingerprint a device. The workflow also asks users to paste an auth token into chat — exposing credentials in conversational logs is a real risk. These behaviors are explainable for the service but are proportionally sensitive and worth considering.
Persistence & Privilege
The skill persists its own state (token, device_id, task_id) under ~/.muse and installs files into a skill directory; it does not request always:true, does not alter other skills, and does not require elevated system privileges. Persistent storage of an auth token and device fingerprint is expected for a logged-in service but increases the persistent blast radius if the local environment or skill files are compromised.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install muse-ai
  3. After installation, invoke the skill by name or use /muse-ai
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.6
v1.0.6: token 脚本内部闭环,修复其他模型幻觉导致认证失败
v1.0.5
v1.0.5: token 脚本内部闭环,修复其他模型幻觉导致认证失败
v1.0.4
- fix cmd bug
v1.0.3
Muse-AI 1.0.3 Changelog - No file or SKILL.md changes detected compared to the previous version. - No visible feature updates, bug fixes, or documentation edits in this release.
v1.0.2
ai-music-muse 1.0.2 初始发布 - 修正若干程序不确定性问题。
Metadata
Slug muse-ai
Version 1.0.6
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 5
Frequently Asked Questions

What is Release?

AI 音乐创作助手 — 通过对话生成原创歌曲、纯音乐和 BGM。 当用户想要创作、生成、制作任何形式的音乐时使用此技能。 包括:生成带人声的歌曲、写歌词、作曲编曲、制作纯音乐/BGM/配乐,或将文字变成歌曲。 当用户提到具体音乐风格(如"来首民谣""做首说唱")时也应触发。 支持三种模式:灵感模式(一句话生成)、... It is an AI Agent Skill for Claude Code / OpenClaw, with 332 downloads so far.

How do I install Release?

Run "/install muse-ai" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Release free?

Yes, Release is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Release support?

Release is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Release?

It is built and maintained by Jiang Swei (@a64307410); the current version is v1.0.6.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments