Is dumoedss/acestep safe?

https://github.com/openclaw/skills/tree/main/skills/dumoedss/acestep

88
SAFE

This skill provides legitimate music generation functionality through the ACE-Step API with reasonable security practices. The main concerns are data transmission to external services and executable script components, but these appear necessary for the stated functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

MEDIUM External API Data Transmission -25

The skill transmits user-provided lyrics, music descriptions, and potentially personal creative content to external services (api.acemusic.ai). While this is the intended functionality for music generation, users should be aware that their creative input will be sent to third-party services.

LOW Executable Bash Script -15

The skill includes an executable bash script (acestep.sh) that will be run by the agent. The script appears legitimate for music generation API interactions but represents code execution risk.

LOW External Service Dependency -20

The skill's functionality depends on external music generation services, creating potential privacy and availability concerns for users who may not realize their creative content leaves their system.