ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Suno Music

v1.0.0

Generate AI music with Suno via AceDataCloud API. Use when creating songs from text prompts, generating lyrics, extending tracks, creating covers, extracting...

0· 72·0 current·0 all-time
by@germey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes Suno music workflows and curl examples against api.acedata.cloud, which is coherent with the skill name/description. However the registry metadata claims no required environment variables or primary credential while the SKILL.md explicitly requires ACEDATACLOUD_API_TOKEN; this mismatch is unexpected and reduces trust.
Instruction Scope
Runtime instructions are narrowly scoped to calling AceDataCloud/Suno REST endpoints (lyrics, audios, tasks, wav/midi/mp4/vox endpoints) and polling for task status. The agent is only instructed to set/use ACEDATACLOUD_API_TOKEN and upload/poll audio; there are no instructions to read unrelated system files or exfiltrate arbitrary data.
Install Mechanism
The skill is instruction-only (no install spec), which is low-risk. It does optionally recommend 'pip install mcp-suno' or using a hosted MCP endpoint; installing a PyPI package is a separate action that could run arbitrary code and should be reviewed before installing. The skill does not itself provide an install URL or verify the package origin.
!
Credentials
The SKILL.md requires ACEDATACLOUD_API_TOKEN (appropriate for an API client), but the registry metadata lists no required env vars and no primary credential — an inconsistency that could be accidental or misleading. Additionally, there is no homepage or source URL to verify who controls the token-accepting endpoint, so users cannot easily validate the service/operator before providing credentials.
Persistence & Privilege
The skill does not request persistent presence (always:false) and makes no instructions about modifying agent/system-wide configuration or other skills. Autonomous invocation is allowed by platform default but is not combined here with other elevated privileges.
What to consider before installing
This skill appears to be a straightforward integration with AceDataCloud's Suno API, but the registry metadata and the runtime instructions disagree about required credentials and the package has no published source/homepage. Before installing or using it: 1) Confirm the publisher and official endpoint (do they operate at api.acedata.cloud and platform.acedata.cloud?) and find a homepage or repository to verify authenticity. 2) Do not paste your ACEDATACLOUD_API_TOKEN into unknown UIs; verify token scopes and consider creating a limited-scope token. 3) If you plan to use the optional 'mcp-suno' package, inspect that PyPI package (source code, maintainer, release history) before pip installing. 4) If you need stronger assurance, ask the publisher to update registry metadata to declare ACEDATACLOUD_API_TOKEN as a required credential and provide a homepage/source link. Given the provenance gaps and metadata mismatch, treat this skill cautiously and avoid granting tokens until you verify the provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk973zdh3kd8ehvn4dshm7t6c0h83ddvy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments