← Back to Skills Marketplace
92
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install stepace-experimental
Description
Generate AI music on your Android phone via the StepAce Experimental app. Use this skill whenever the user asks to generate, create, make, compose, or queue...
Usage Guidance
Before installing or setting STEPACE_TOKEN, verify the bridge endpoint and publisher: 1) Confirm that https://cronicaia.com (the declared homepage) documents this exact bridge URL or otherwise references the Cloudflare worker domain; if not, treat the worker endpoint as untrusted. 2) Ask the skill author or vendor for an official API endpoint and source code or a privacy/security statement explaining why a worker.dev URL is used. 3) Avoid pasting your real pairing token into public chats; consider creating a disposable/test token if the app supports it. 4) Do not run example commands (like sourcing /home/deploy/.stepace-env) that reference files you don't recognize. 5) If you proceed, monitor network and app behavior and revoke/regenerate the token from the phone app if anything looks unexpected. If the vendor cannot justify the third-party worker endpoint or provenance, do not provide sensitive credentials.
Capability Analysis
Type: OpenClaw Skill
Name: stepace-experimental
Version: 0.0.2
The skill bundle contains instructions in SKILL.md that direct the AI agent to execute shell commands using a hardcoded local filesystem path (`source /home/deploy/.stepace-env`). This is highly irregular for a portable skill and suggests an environment-specific dependency or an attempt to persist/access data in a specific host directory. Furthermore, the skill transmits a user-provided pairing token to a third-party Cloudflare Worker endpoint (openclaw-bridge.torrico-villanueva-cesar-kadir.workers.dev), and the recommended shell implementation is vulnerable to command injection if the token variable is not properly sanitized by the agent.
Capability Assessment
Purpose & Capability
Name/description match the required capability (music generation on an Android app). Requested credential (STEPACE_TOKEN) is appropriate for pairing. However, the runtime endpoint used (a personal/worker.dev domain) does not match the declared homepage (cronicaia.com) or an obvious official StepAce API, which is incongruent with expectations.
Instruction Scope
SKILL.md instructs the agent to POST the pairing token and generation payload to an external bridge URL. Examples include 'source /home/deploy/.stepace-env' (an odd hard-coded local path) and a recommendation to prefer curl over normal HTTP clients—both of which are unexpected and could encourage running local commands or sourcing files that may contain secrets. The instructions do not require reading other unrelated system files, but the examples/reference paths and strong transport preferences are suspicious.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes disk-level risk because nothing will be written/executed by an installer. The primary runtime action is an outbound HTTP POST.
Credentials
Only a single env var (STEPACE_TOKEN) is required, which is proportional for a pairing token. However, because the skill sends that token to an unexpected third-party worker.dev endpoint (not the homepage domain), the token could be transmitted to an untrusted service — increasing exfiltration risk despite the small number of credentials requested.
Persistence & Privilege
Skill is not always-enabled and uses normal autonomous invocation defaults. It does not request persistent system-level privileges or modify other skills' configs. Nothing in the metadata requests elevated or permanent platform-wide privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install stepace-experimental - After installation, invoke the skill by name or use
/stepace-experimental - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.2
- Preferred transport for API calls is now `curl` from the shell, not Python or generic HTTP clients.
- Added `curl`-based example commands for both immediate and scheduled song generation.
- Clarified that some clients (like Python) may be rejected by the bridge/CDN even if the payload is correct.
- No changes to core parameters, error handling, or natural language mapping.
v0.0.1
Initial release of StepAce Experimental skill — generate AI music on your Android phone.
- Queue or schedule AI-generated music directly to StepAce Experimental via Android.
- Supports detailed controls: BPM, key, time signature, language, duration, lyrics, and instrumental options.
- Simple pairing/token setup guide provided within the skill.
- Handles both instant and scheduled music generation based on user request.
- Clear error handling and user guidance if parameters (like token or caption) are missing.
Metadata
Frequently Asked Questions
What is StepAce Experimental?
Generate AI music on your Android phone via the StepAce Experimental app. Use this skill whenever the user asks to generate, create, make, compose, or queue... It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.
How do I install StepAce Experimental?
Run "/install stepace-experimental" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is StepAce Experimental free?
Yes, StepAce Experimental is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does StepAce Experimental support?
StepAce Experimental is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created StepAce Experimental?
It is built and maintained by ckadirt (@ckadirt); the current version is v0.0.2.
More Skills