ClawHub

Music Generation

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only music generation skill with expected third-party API examples, but users should treat prompts, lyrics, audio, and API keys as shared with the selected provider.

Install only if you are comfortable using third-party music services. Avoid confidential prompts, unreleased lyrics, private audio, or sensitive files unless you have vetted the provider. Use separate, scoped API keys where possible, and be especially cautious with unofficial Suno or Udio wrappers and current licensing terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Low
Confidence
86% confidence
Finding
The Replicate example sends user prompts to an external third-party API, but the skill does not explicitly warn users that their prompts and related generation data leave the local environment. In a music-generation context, prompts may contain proprietary creative concepts, unreleased campaign details, or other sensitive information, so the omission can lead to unintended data disclosure even if the example itself is not overtly malicious.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The Replicate API examples transmit user prompts to an external third-party service, but the documentation does not disclose that network call or the associated data-sharing/privacy implications. In a music-generation skill this is not inherently malicious, but users may unknowingly send sensitive or proprietary prompt content off-platform, creating avoidable privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document recommends unofficial third-party APIs for Suno and includes example code that transmits prompts, lyrics, and API credentials to external services, but it does not warn users about privacy, data handling, account security, or the lack of an official public API. In a skill intended to guide agent behavior, this can lead users to unknowingly send potentially sensitive creative content or secrets to unvetted providers.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://api.sunoapi.org/v1/generate",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
82% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
**PiAPI (suno-v5):**
```python
response = requests.post(
    "https://api.piapi.ai/api/v1/suno/generate",
    headers={"X-API-Key": API_KEY},
    json={
Confidence
82% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://api.sunoapi.org/v1/generate",
    headers={"Authorization": f"Bearer {API_KEY}"},
    json={
Confidence
82% confidence
Finding
requests.post( "https://api.sunoapi.org/v1/generate", headers={"Authorization": f"Bearer {API_KEY}"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
**PiAPI (suno-v5):**
```python
response = requests.post(
    "https://api.piapi.ai/api/v1/suno/generate",
    headers={"X-API-Key": API_KEY},
    json={
Confidence
82% confidence
Finding
requests.post( "https://api.piapi.ai/api/v1/suno/generate", headers={"X-API-Key": API_KEY}, json=

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal