Back to skill

Security audit

music generate

Security checks across malware telemetry and agentic risk

Overview

This music skill is coherent and disclosed, but users should be cautious with the optional unofficial API automation path.

Use the web interface path if you only need prompts. If you choose automation, review the unofficial wrapper project first, keep session credentials out of shared files, point SUNO_API_URL only at a trusted service, and save output to a dedicated folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The embedded code performs outbound network requests to a configurable API endpoint and then fetches arbitrary audio URLs returned by that service, finally writing files to a user-specified path. In a skill whose stated role is composition assistance and prompt generation, this materially increases capability and creates risk of untrusted network access, server-side request abuse via malicious returned URLs, and unsafe file writes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.