Back to skill

Security audit

ACE Music - Free Suno Alternative Generate unlimited AI music for free using ACE-Step 1.5. Full songs with vocals, lyrics, any genre, any language. No subscription, no credits, no limits. The open-source Suno alternative, powered by ACE Music's free API.

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate music as claimed, but its helper script handles output paths and request parameters unsafely enough to require review before installation.

Install only if you are comfortable reviewing or fixing the helper script first. Use a dedicated ACE Music API key, keep it out of shared files and source control, avoid submitting confidential lyrics or audio, and restrict generated output to a safe directory with simple filenames.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill instructs use of a shell script (`scripts/generate.sh`) and environment-variable setup, but no explicit permissions are declared. This creates a transparency and least-privilege problem: an agent may invoke shell-capable behavior without the user being clearly informed through the skill's permission model.

Vague Triggers

Medium
Confidence
71% confidence
Finding
The invocation description is broad enough to match many generic music-related requests, which can cause the skill to trigger more often than intended. Over-broad routing increases the chance that the agent uses this external API skill in contexts where another safer or more appropriate tool should have been selected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup flow asks the user to obtain and paste an API key, then store it in an environment variable or TOOLS.md, but gives no warning that the key is sensitive. This can lead to accidental disclosure in chat history, logs, screenshots, shell history, or source-controlled files, especially if TOOLS.md is shared or committed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes a remote API endpoint and encourages sending prompts, lyrics, and even uploaded audio, but does not clearly warn that this user content leaves the local environment and is transmitted to a third-party service. In a music-generation skill, users may submit sensitive creative material, voice recordings, or copyrighted audio, so lack of disclosure can lead to privacy, confidentiality, and consent issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.