Back to skill

Security audit

Suno Music

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for using AceDataCloud/Suno to generate music, with normal third-party API and token handling risks.

Install this only if you are comfortable sending music prompts, lyrics, uploaded audio, and related metadata to AceDataCloud/Suno. Use a scoped, revocable API token, verify the optional MCP package or hosted endpoint before using it, and avoid submitting confidential, copyrighted, or voice/persona material unless you understand the provider's terms and retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is extremely broad ('any music generation task'), which can cause the agent to invoke this skill in many situations without clearly signaling that user prompts and possibly uploaded audio will be sent to a third-party API. Overbroad routing increases the chance of unintended data disclosure because users may not realize their content is leaving the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes sending prompts and uploaded audio to AceDataCloud but does not warn users that their inputs are transmitted to a third-party service. This omission can lead to accidental sharing of sensitive text, copyrighted material, voice data, or unpublished audio with an external provider.

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick Start — Generate a Song

```bash
curl -X POST https://api.acedata.cloud/suno/audios \
  -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a happy pop song about coding", "model": "chirp-v4-5", "wait": true}'
Confidence
83% confidence
Finding
curl -X POST https://api.acedata.cloud/suno/audios \ -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Quick Start — Generate a Song

```bash
curl -X POST https://api.acedata.cloud/suno/audios \
  -H "Authorization: Bearer $ACEDATACLOUD_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a happy pop song about coding", "model": "chirp-v4-5", "wait": true}'
Confidence
83% confidence
Finding
https://api.acedata.cloud/

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.