#20400: feat(skill): add Loudly AI music generation skill

## Summary - Adds a new **Loudly** skill for generating royalty-free AI music via the [Loudly Music API](https://www.loudly.com/developers) - Supports parametric generation (genre, energy, BPM, key, instruments, genre-blending) and text-prompted generation (prompt alongside genre) - Includes `generate_music.py` and `list_genres.py` scripts, executed via `uv run` with inline PEP 723 dependency metadata — zero setup beyond having `uv` installed - 15 genres available (Ambient, House, Lo Fi, Hip Hop, EDM, etc.) each with micro-genre sub-categories ### Security hardening - API key via `LOUDLY_API_KEY` env var only (no CLI flag — avoids `ps aux` exposure) - Download URL validated: HTTPS-only + hostname allowlist (`*.cloudfront.net`, `*.loudly.com`) to prevent SSRF - Output path denylist blocks writes to `/etc`, `~/.ssh`, `~/.openclaw`, and other sensitive locations - Request timeouts on all HTTP calls (10s connect, 120s/300s read) - Download capped at 100 MB with partial-file cleanup on failure - Raw API error responses suppressed from output - `requests` dependency pinned with upper bound (`>=2.31.0,<3`) ### Skill structure ``` skills/loudly/ ├── SKILL.md # Manifest + agent instructions └── scripts/ ├── generate_music.py # Music generation (parametric + prompt) └── list_genres.py # Genre listing with micro-genres ``` ## Test plan - [x] Parametric generation (genre + energy + BPM) — verified via API - [x] Genre + text prompt combo — verified via API - [x] Genre blending + musical key params — verified via API - [x] List genres (15 genres, micro-genres displayed) — verified via API - [x] End-to-end agent test via `openclaw agent` — skill loaded, music generated, MP3 saved - [x] Path traversal blocked: `/etc/evil.mp3`, `~/.ssh/authorized_keys`, `~/.openclaw/...` - [x] SSRF blocked: HTTP URLs, localhost, AWS metadata, spoofed hostnames - [x] Missing API key rejected cleanly - [x] Skill appears as "ready" in `openclaw skills list` 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds a new **Loudly** skill for AI music generation with two scripts (`generate_music.py` and `list_genres.py`), following the existing skill conventions (PEP 723 inline deps, `uv run`, `MEDIA:` output tokens). The PR includes notably strong security hardening — HTTPS-only URL allowlist, output path denylist, streamed download with 100 MB cap and partial-file cleanup — which sets a higher bar than some existing skills. - One logic issue found: `data.get("duration", 0)` on line 227 of `generate_music.py` does not guard against the API returning an explicit `null`, which would cause a `TypeError` crash on line 232 during the division. - Skill manifest (`SKILL.md`) is well-structured and follows existing patterns. - `list_genres.py` is clean with proper error handling and timeout configuration. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with one minor fix needed for a potential crash when the API returns null duration. - Score of 4 reflects well-written, security-hardened code with one edge-case bug that could cause a runtime crash. The overall structure follows repo conventions and the security measures are thorough. - `skills/loudly/scripts/generate_music.py` — line 227 has a null-safety issue that could cause a `TypeError`. _{Last reviewed commit: 9c623b8} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->