Suno Music
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Code or users with access to the server or `.env` could use the Suno account session, generate songs, and spend credits.
This asks the user to extract and store a browser session cookie, plus an optional captcha-service key, so the backend can act as the authenticated Suno account; the supplied metadata declares no primary credential or env vars.
Create `.env` with your Suno cookie and optional 2Captcha key ... Copy the Cookie header value → update `.env` → restart server
Use a dedicated Suno account/session if possible, protect and rotate the cookie, do not paste unrelated cookies, and require the skill metadata to declare these credentials clearly.
Unreviewed or changed upstream code could run locally and process sensitive account credentials.
The core backend is third-party code outside the reviewed package, installed from an unpinned repository and npm dependency tree, and it is expected to handle the user's Suno cookie.
git clone https://github.com/gcui-art/suno-api && cd suno-api && npm install && npm run build
Pin the backend to a reviewed commit, audit its dependencies, prefer container isolation, and avoid giving it account cookies until the exact code being run is trusted.
A normal generation request may spend credits and add content to the user's Suno library.
Generating music is the skill's purpose, but it has account side effects: it consumes credits and creates songs in the user's Suno account.
Each generation uses credits (~10 per song pair) ... Songs appear in the user's Suno library/playlists
Confirm with the user before generating if credit usage, account history, or library entries matter.
Private lyrics or personal prompts could be shared with the configured backend and, through it, Suno.
Prompts, lyrics, styles, and titles are sent to the configured Suno API endpoint; it defaults to localhost, but SUNO_API_URL can route that data to another server.
BASE="${SUNO_API_URL:-http://localhost:3100}" ... curl -sf -X POST "$BASE/api/generate"Keep SUNO_API_URL pointed at a trusted local server unless you intentionally trust a remote endpoint, and avoid including sensitive personal information in prompts.
The Suno API server may continue running and remain able to use the stored Suno cookie.
The documentation suggests optional OS-level persistence for the backend service; it is disclosed and user-directed, but it can keep a cookie-backed server running after the task ends.
Start server: `PORT=3100 npm start` (or create a LaunchAgent/systemd service)
Only create a persistent service if needed, bind it to localhost, monitor it, and stop or disable it when not in use.