ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dlazy Suno.Music

v1.0.0

Automatically create complete songs with vocals and accompaniment based on lyrics or style descriptions using Suno AI.

0· 34·0 current·0 all-time
by@dlazyai
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim a CLI wrapper for Suno-style music generation. Declared required binaries (npm, npx) and the metadata install (npm install -g @dlazy/cli@1.0.5) align with that purpose. However, the skill's instructions require an API key (dlazy API) at runtime but the registry metadata does not declare any required credential or primaryEnv, creating an inconsistency between claimed requirements and actual runtime needs.
!
Instruction Scope
SKILL.md directs the agent to run the external 'dlazy' CLI and contains explicit 'AGENT CRITICAL INSTRUCTION' telling the agent to ask users to obtain the API key from a web dashboard and to 'send it to you' so the agent can run 'dlazy auth set <key>'. That instructs the agent to solicit secrets in chat — scope creep and a direct data-exfiltration risk that is not necessary to describe the integration itself. Other instructions (handling insufficient_balance, unauthorized) are plausible for a CLI wrapper.
Install Mechanism
There is no formal install spec in the registry install block, but the metadata recommends 'npm install -g @dlazy/cli@1.0.5'. Installing an npm package from the public registry is a common approach (moderate risk). Because this is an instruction-only skill there is no included code to review; you should verify the npm package source (repository, maintainers, package contents) before globally installing.
!
Credentials
The skill manifest declares no required env vars or primary credential, but the instructions explicitly require an API key and tell the agent to obtain it from the user and save it locally. Requesting user secrets via chat is disproportionate and not represented in the declared requirements. This mismatch is a practical and security-related incoherence.
Persistence & Privilege
The skill does not request 'always: true', has no OS restrictions, and does not declare or appear to modify other skills' settings. Asking to run 'dlazy auth set <key>' would store credentials for the CLI locally, which is typical for a CLI-based integration, but the agent's instruction to solicit the secret is the concerning part rather than any special privilege in the manifest.
What to consider before installing
This skill wraps a third-party CLI (npm package @dlazy/cli) to generate music. Before installing or using it: 1) Do NOT paste API keys or other secrets into chat — the skill explicitly instructs the agent to ask you to 'send' the API key, which is unsafe. 2) Ask the publisher for the declared credential requirements to be added to the manifest (primaryEnv) instead of instructing secret sharing in chat. 3) Inspect the npm package (@dlazy/cli) source/repository and reviews on npmjs.org before installing globally; prefer installing in an isolated environment or container. 4) If you must use the service, set credentials locally (e.g., run dlazy auth set <key> yourself in a terminal) rather than sending them to the agent. 5) Verify dlazy.com and oss.dlazy.com are legitimate and review their privacy/security docs and billing practices (the instructions reference recharging credits).

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🤖 Clawdis
Binsnpm, npx
latestvk975fv3q1pq3m4p8vp0ancxa0585aytp
34downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@dlazyai
latest
Download

dlazy-suno.music

Automatically create complete songs with vocals and accompaniment based on lyrics or style descriptions using Suno AI.

Trigger Keywords

  • suno music
  • generate song
  • ai music
  • write a song

Usage

CRITICAL INSTRUCTION FOR AGENT: Run the dlazy suno.music command to get results.

dlazy suno.music -h

Options:
  --mode <mode>                        Mode [default: inspiration] (choices: "inspiration", "custom")
  --prompt <prompt>                    Prompt [default: ]
  --title <title>                      Title [default: ] [only when mode="custom"]
  --tags <tags...>                     Tags (max 20) [default: ] [only when mode="custom"]
  --make_instrumental <make_instrumental>Instrumental (No Vocals) [default: false] [only when mode="inspiration"]
  --input <spec>                       JSON payload: inline string, @file, or - (stdin)
  --dry-run                            Print payload + cost estimate without calling API
  --no-wait                            Return generateId immediately for async tasks
  --timeout <seconds>                  Max seconds to wait for async completion (default: "1800")
  -h, --help                           display help for command

Output Format

{
  "ok": true,
  "kind": "urls",
  "data": {
    "urls": [
      "https://oss.dlazy.com/result.mp4"
    ]
  }
}

Command Examples

# basic call:
dlazy suno.music --prompt 'prompt text'

# complex call:
dlazy suno.music --prompt 'prompt text'

Error Handling

CodeError TypeExample Message
401Unauthorized (No API Key)ok: false, code: "unauthorized", message: "API key is missing or invalid"
501Missing required parametererror: required option '--prompt <prompt>' not specified
502Local file read errorError: Image file/Video file not found: C:\path\to\your\file
503API request failed (no balance)ok: false, code: "insufficient_balance"
503API request failed (server error)HTTP status code error (500 server crash)
504Asynchronous task execution failed=== Generation Failed === / {Specific error reason returned by backend, for example "Prompt violates safety policy"}

AGENT CRITICAL INSTRUCTION:

  1. If the execution result returns code: "insufficient_balance", you MUST explicitly inform the user that their credits are insufficient and guide them to recharge: https://dlazy.com/dashboard/organization/settings?tab=credits
  2. If the execution result returns code: "unauthorized" or indicates missing API key, you MUST inform the user to get their API key from https://dlazy.com/dashboard/organization/api-key and send it to you. Once they provide it, save it using dlazy auth set <key> and resume the task.

Tips

Visit https://dlazy.com for more information.

Comments

Loading comments...