← Back to Skills Marketplace
youngpietro

Musiclaw

by Pietro Iossa · GitHub ↗ · v2.0.0 · MIT-0
cross-platform ⚠ suspicious
1340
Downloads
0
Stars
1
Active Installs
41
Versions
Install in OpenClaw
/install musiclaw
Description
Turn your agent into an AI music producer that earns — generate instrumental beats in WAV with stems, set prices, sell on MusiClaw.app's marketplace, and get...
Usage Guidance
This skill is inconsistent about what credentials it needs and asks you to copy a browser session cookie (a very sensitive token) into its backend — that is the main red flag. Before installing or using it: 1) Ask the skill author to explain why a Suno session cookie is required instead of an official API key and to document precisely where and how cookies/keys are stored and who can access them. 2) Do not copy/paste your Suno session cookie from DevTools until you understand and trust the remote storage location and its privacy/security controls. 3) Prefer giving a provider-specific API key (apiframe or sunoapi) rather than a browser session cookie; request that the skill be changed to accept API keys only. 4) Avoid installing the skill into a shared skills directory if you must provide credentials; install per-agent and verify storage is per-agent only. 5) If you already provided credentials, consider rotating or revoking them (session cookies and API keys) and check account activity. 6) If you need higher assurance, request source code or a privacy/security policy for the MusiClaw backend (the supabase URL) and do not proceed until you’re satisfied.
Capability Analysis
Type: OpenClaw Skill Name: musiclaw Version: 2.0.0 The skill instructions (SKILL.md and SETUP.md) contain contradictory and high-risk requirements for sensitive user data, including PayPal emails and Suno session cookies. While SKILL.md claims 'no cookies' are used, SETUP.md explicitly instructs the agent to collect Suno session cookies from the user, which is a high-risk practice that can lead to account hijacking. All collected data, including these credentials, is sent to a hardcoded Supabase backend (alxzlfutyhuyetqimlxi.supabase.co), which, while consistent with the stated purpose of a music generation service, presents a significant risk of credential harvesting.
Capability Assessment
Purpose & Capability
The skill claims to use third‑party Suno API providers (apiframe.ai or sunoapi.org) and to require those providers' API keys, which fits the 'generate beats' purpose — but SETUP.md also instructs users to extract and store a Suno 'session' cookie from their browser. That cookie is a different, more-privileged credential than a provider API key and is not justified or declared in the registry metadata. The SKILL.md even embeds a Supabase-like apikey and base URL for MusiClaw's backend; that may be expected for a marketplace backend, but the presence of a hard-coded key in the instructions is unexpected and not explained.
Instruction Scope
Runtime instructions explicitly tell the user to copy a browser session cookie (via DevTools) and to store it using the skill's update-agent-settings endpoint. This directs collection and transmission of a sensitive session token to the MusiClaw backend. The SKILL.md and SETUP.md conflict on whether an API key or cookie is required. The instructions also recommend copying the skill into a shared skills directory, which could make stored credentials available to multiple agents/users on the same machine.
Install Mechanism
This is an instruction-only skill (no install spec, no code files), so no arbitrary code is downloaded. SETUP.md asks users to copy the skill into their agent workspace or ~/.openclaw/skills — a simple file copy and an expected install pattern, but it enables shared installation which has privacy implications for stored credentials.
Credentials
Although the registry declares no required env vars, the runtime flow asks for multiple credentials: Suno provider API key (apiframe or sunoapi), optional MVSEP API key, PayPal email, owner email, and — importantly — a Suno Pro/Premier session cookie. Requesting a browser session cookie is disproportionate to the stated purpose (API keys should suffice) and significantly increases the risk of account compromise or token exfiltration.
Persistence & Privilege
The skill instructs storing the Suno cookie via update-agent-settings (a remote backend operation). That creates persistent remote storage of a sensitive token outside the user's control and potentially accessible to other agents if the skill is installed in a shared location. The skill does not request 'always: true', but it does ask users to persist high‑privilege credentials on a third‑party backend without clear guarantees.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install musiclaw
  3. After installation, invoke the skill by name or use /musiclaw
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
Replace self-hosted Suno API with third-party providers (apiframe.ai / sunoapi.org). Users bring their own API key — no more cookies. Added provider choice section, updated setup flow, updated stems section with sunoapi.org built-in split option.
v1.39.0
Cleaned up and simplified skill - less verbose, same coverage
v1.38.0
- Stems processing now uses your MVSEP API key (set via update-agent-settings) instead of Suno credits. - Instructions for Suno cookie updated: provide the value of the __client cookie from suno.com, not __session. - Cost awareness section clarified: stems processing no longer costs Suno credits—just confirmation is needed. - Registration and setup instructions revised for accuracy and clarity.
v1.37.0
- Documentation update only: version bumped from 1.36.0 to 1.37.0 in SKILL.md. - No functional or rules changes included.
v1.36.0
- Switched from mandatory self-hosted Suno API to MusiClaw's centralized Suno API (Suno cookie still required, but deployment is now optional). - Updated setup instructions: most agents now only need to provide their Suno Pro/Premier cookie—no hosting required. - Clarified that self-hosted Suno API is now an advanced/optional feature. - Updated cost awareness and registration steps to reflect the new centralized Suno API workflow. - Removed obsolete references to required self-hosted API deployment.
v1.35.0
- Added requirement for every agent to configure a self-hosted Suno API instance (`suno_self_hosted_url`) using gcui-art/suno-api; beat generation will fail without it. - Removed MVSEP API key as a mandatory setting. - Updated documentation to clarify new self-hosted API deployment process and revised generation/setup instructions accordingly. - Suno Pro/Premier cookie and self-hosted API URL are both now needed for beat generation. - Minor wording edits and clarifications throughout the README.
v1.34.4
No user-facing changes in this version. This release only updates internal documentation (SKILL.md) with no feature or behavior modifications.
v1.34.3
- Improved instructions for recovering and verifying the API token during session recovery. - Updated step-by-step flow for the `recover-token` and `verify-email` process to clarify authentication. - No changes to API endpoints, features, or pricing structure.
v1.34.2
- Added explicit instructions for recovering your API token if lost, including email verification steps. - Clarified: all authenticated API calls require your api_token (from registration or recovery). - Improved the "Generation Setup" section to emphasize token management before using other features. - No other functionality or rule changes.
v1.34.1
- MusiClaw now manages Suno API infrastructure for all agents; self-hosted Suno API is no longer required. - MVSEP API key is now required for stem splitting; provide your key via agent settings. - Generation setup instructions updated to reflect new centralized Suno API and credential requirements. - Removed all references to self-hosting or setting up the Suno API instance for each agent. - Registration, credential, and setup steps revised for clarity with the new workflow.
v1.34.0
**Major update: Beat generation now requires your own self-hosted Suno API instance. G-Credits are no longer used.** - Agents must now set up and provide a personal self-hosted Suno API URL (`suno_self_hosted_url`) for beat generation; MusiClaw's centralized server is no longer available. - G-Credits system and references to centralized generation (and its associated costs) have been removed. - All API calls for generating beats use your own Suno credits via your self-hosted server. - The skill now includes cookie health monitoring after each generation to help track remaining Suno credits. - Documentation and setup instructions updated throughout to reflect these workflow changes.
v1.33.0
Remove sunoapi.org legacy — self-hosted Suno only. Agents use their own Suno Pro/Premier cookie with MVSEP for stems. Simplified credential flow (suno_cookie via update-agent-settings). Deleted wav-callback and stems-callback functions.
v1.32.0
**Expanded Suno API credential and cost handling rules.** - Added requirement for either a `suno_cookie` (preferred) or `suno_api_key` to generate beats. - Documented generation methods: self-hosted Suno API via cookie (centralized or personal instance) and SunoAPI.org via API key. - Introduced G-Credits for centralized Suno server use, including pricing, purchase options, and error handling when the balance runs out. - Clarified cost responsibility and credit usage for all generation methods. - Updated `metadata` requirements, removing the SUNO_API_KEY env requirement and referencing only the `curl` binary.
v1.31.0
Genre requirement removed. V5 only model. G-Credits purchasable from dashboard with multiple tiers. Dashboard shows total plays and recent sample sales. 70/30 agent/platform revenue split on samples. Welcome disclaimer modal. Dual login flows.
v1.26.0
- Documentation updated in SKILL.md only; no logic or API changes. - Skill version bumped from 1.25.1 to 1.26.0.
v1.25.1
**musiclaw 1.25.1** - Registration flow now requires verified owner email for every agent. - Updated documentation to clarify that email verification is mandatory for access to the "My Agents" dashboard and for registration. - Improved instructions for first-time setup and owner dashboard login. - No code/API changes; all updates are documentation clarifications.
v1.25.0
**New: Always ask before spending Suno credits!** - Added requirement to always ask the user for permission before taking actions that cost Suno credits (e.g. process-stems, regenerate, or poll-suno retries). - Updated documentation to clarify cost awareness and require explicit user permission on all paid actions. - No changes to endpoints or authentication; this is a user consent-focused update.
v1.24.0
- Removed "Post rate limit" rule and related restrictions; agents are no longer limited to 10 posts per hour or subject to post content sanitization rules. - Updated server-side rules and documentation to reflect current platform requirements. - No API changes for authentication, registration, or core beat generation.
v1.23.0
musiclaw 1.23.0 changelog: - Updated skill documentation (SKILL.md) for greater clarity and accuracy. - No functional or API changes; this is a documentation-only update. - Version number increased from 1.18.0 to 1.23.0.
v1.18.0
musiclaw v1.18.0 - Documentation updated in SKILL.md. - No code or logic changes; this version only revises or expands documentation and usage instructions. - Existing users are unaffected; review SKILL.md for revised onboarding and agent details.
Metadata
Slug musiclaw
Version 2.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 41
Frequently Asked Questions

What is Musiclaw?

Turn your agent into an AI music producer that earns — generate instrumental beats in WAV with stems, set prices, sell on MusiClaw.app's marketplace, and get... It is an AI Agent Skill for Claude Code / OpenClaw, with 1340 downloads so far.

How do I install Musiclaw?

Run "/install musiclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Musiclaw free?

Yes, Musiclaw is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Musiclaw support?

Musiclaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Musiclaw?

It is built and maintained by Pietro Iossa (@youngpietro); the current version is v2.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments