Back to skill

Security audit

CC3PO Music Generation

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only AI music generation skill; its third-party API examples are expected for the purpose, but users should be careful with prompts, lyrics, audio files, and API keys.

Install only if you are comfortable using third-party music generation services. Avoid entering confidential lyrics, unreleased business material, personal data, private reference audio, internal webhook URLs, or long-lived API keys into these examples unless you have reviewed the provider's terms, privacy practices, billing model, and token handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (23)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to use external music-generation providers and provider-specific files, but it does not warn users that prompts, lyrics, or uploaded reference material may be sent to third-party services. This can lead to unintended disclosure of sensitive or proprietary creative content, especially in commercial or private projects where users may assume local-only handling.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The examples instruct users to send prompts and an API bearer token to a third-party service but do not disclose that prompts, tags, and credentials are transmitted off-platform. In a skill/documentation context this is a real transparency and privacy issue, though it is not by itself an exploit or malicious behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Replicate API example transmits prompt content to an external third-party service, but the skill does not clearly disclose that data leaves the local environment. In a music-generation context, prompts may contain proprietary creative ideas, customer data, or other sensitive project information, so users could unknowingly expose private content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples instruct users to install and use Replicate with an API token and later show webhook configuration, but they do not warn that prompts, uploaded audio, and result metadata are sent to a third-party service. In this skill context, users may submit proprietary music prompts or source audio, so the omission can lead to unintended data disclosure and unsafe production integration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document recommends unofficial third-party APIs for Suno without warning that user prompts, custom lyrics, and API credentials are transmitted to external services outside the official provider. In a music-generation skill, prompts and lyrics may contain proprietary creative material or sensitive data, so omission of privacy, trust, and data-handling warnings creates a real security and privacy risk.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://api.mubert.com/v2/generate",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
89% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Using Mubert's text-to-music
response = requests.post(
    "https://api.mubert.com/v2/ttm",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
89% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
## Tag-Based Generation

```python
response = requests.post(
    "https://api.mubert.com/v2/generate",
    json={
        "tags": ["electronic", "upbeat", "happy"],
Confidence
82% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Initialize stream
stream = requests.post(
    "https://api.mubert.com/v2/stream/start",
    json={"tags": ["lo-fi", "chill"]}
)
Confidence
82% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://api.mubert.com/v2/generate",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
89% confidence
Finding
requests.post( "https://api.mubert.com/v2/generate", headers={"Authorization": f"Bearer {API_KEY}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Using Mubert's text-to-music
response = requests.post(
    "https://api.mubert.com/v2/ttm",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
89% confidence
Finding
requests.post( "https://api.mubert.com/v2/ttm", headers={"Authorization": f"Bearer {API_KEY}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
## Tag-Based Generation

```python
response = requests.post(
    "https://api.mubert.com/v2/generate",
    json={
        "tags": ["electronic", "upbeat", "happy"],
Confidence
82% confidence
Finding
requests.post( "https://api.mubert.com/v2/generate", json=

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Initialize stream
stream = requests.post(
    "https://api.mubert.com/v2/stream/start",
    json={"tags": ["lo-fi", "chill"]}
)
Confidence
82% confidence
Finding
requests.post( "https://api.mubert.com/v2/stream/start", json=

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

response = requests.post(
    "https://api.mubert.com/v2/generate",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
        "prompt": "energetic workout music",
Confidence
86% confidence
Finding
https://api.mubert.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Using Mubert's text-to-music
response = requests.post(
    "https://api.mubert.com/v2/ttm",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
        "prompt": "relaxing ambient music for meditation",
Confidence
86% confidence
Finding
https://api.mubert.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```python
response = requests.post(
    "https://api.mubert.com/v2/generate",
    json={
        "tags": ["electronic", "upbeat", "happy"],
        "bpm": 120,
Confidence
80% confidence
Finding
https://api.mubert.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Initialize stream
stream = requests.post(
    "https://api.mubert.com/v2/stream/start",
    json={"tags": ["lo-fi", "chill"]}
)
Confidence
80% confidence
Finding
https://api.mubert.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://api.sunoapi.org/v1/generate",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
78% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
**PiAPI (suno-v5):**
```python
response = requests.post(
    "https://api.piapi.ai/api/v1/suno/generate",
    headers={"X-API-Key": API_KEY},
    json={
Confidence
78% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://api.sunoapi.org/v1/generate",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
78% confidence
Finding
requests.post( "https://api.sunoapi.org/v1/generate", headers={"Authorization": f"Bearer {API_KEY}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
**PiAPI (suno-v5):**
```python
response = requests.post(
    "https://api.piapi.ai/api/v1/suno/generate",
    headers={"X-API-Key": API_KEY},
    json={
Confidence
78% confidence
Finding
requests.post( "https://api.piapi.ai/api/v1/suno/generate", headers={"X-API-Key": API_KEY}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
import requests

response = requests.post(
    "https://api.sunoapi.org/v1/generate",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
        "prompt": "upbeat pop song about summer",
Confidence
75% confidence
Finding
https://api.sunoapi.org/

External Transmission

Medium
Category
Data Exfiltration
Content
**PiAPI (suno-v5):**
```python
response = requests.post(
    "https://api.piapi.ai/api/v1/suno/generate",
    headers={"X-API-Key": API_KEY},
    json={
        "prompt": "epic orchestral trailer music",
Confidence
75% confidence
Finding
https://api.piapi.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.