ClawHub

Suno

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Suno music-generation skill whose third-party API use and local project memory are disclosed and aligned with its purpose.

Install if you are comfortable with Suno, aimusicapi.ai, or EvoLink receiving prompts and lyrics when you use generation features. Keep API keys in environment variables or a keychain, confirm before actions that may spend credits, and periodically inspect or remove ~/suno/ if your prompts, lyrics, or project notes are private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (10)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document directs users to send prompts and lyrics to unaffiliated third-party hosted services, but it does not clearly warn that user content will be transmitted off-platform and may be stored, processed, or retained by those providers. In a skill that may handle creative drafts or sensitive text, this omission can cause inadvertent privacy and data-sharing exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to persist user preferences and prior prompts to ~/suno/memory.md without telling the user that this data will be stored locally. Even though it says not to store API keys, the saved genres, vocal preferences, and successful prompts may still contain personal or sensitive creative data, creating a privacy and consent issue if stored automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to create and use `~/suno/` to store user preferences and successful prompts, but the primary usage flow does not require informed consent or a clear privacy notice before persisting conversation-derived data. This creates a real privacy risk because sensitive creative preferences, project details, or other user-provided context may be retained on disk unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructions direct the agent to save favorite genres, vocal preferences, successful prompts, and projects to `~/suno/memory.md` as part of normal operation, again without an explicit consent checkpoint. Because these notes are derived from user conversations and may reveal preferences or ongoing projects, silent retention increases privacy and data-minimization concerns.

External Transmission

Medium
Category
Data Exfiltration
Content
def generate(prompt, instrumental=False):
    """Generate a song from prompt."""
    r = requests.post(f"{BASE}/generate", 
        headers=HEADERS,
        json={
            "prompt": prompt,
Confidence
89% confidence
Finding
requests.post(f"{BASE}/generate", headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
def generate_custom(lyrics, style_tags, title):
    """Generate with custom lyrics."""
    r = requests.post(f"{BASE}/custom_generate",
        headers=HEADERS,
        json={
            "prompt": lyrics,
Confidence
95% confidence
Finding
requests.post(f"{BASE}/custom_generate", headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
def generate_lyrics(topic):
    """Generate lyrics from topic."""
    r = requests.post(f"{BASE}/lyrics",
        headers=HEADERS,
        json={"prompt": topic})
    r.raise_for_status()
Confidence
84% confidence
Finding
requests.post(f"{BASE}/lyrics", headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
def generate_evolink(prompt, model="suno-v4", duration=120):
    """Generate with EvoLink API."""
    r = requests.post(f"{BASE}/audios/generations",
        headers=HEADERS,
        json={
            "model": model,
Confidence
90% confidence
Finding
requests.post(f"{BASE}/audios/generations", headers=HEADERS, json=

External Transmission

Medium
Category
Data Exfiltration
Content
songs = generate_custom(lyrics, "indie pop, dreamy", "Summer Love")
```

### cURL

```bash
# Generate
Confidence
82% confidence
Finding
cURL ```bash # Generate curl -X POST "https://api.aimusicapi.ai/api/v1/sonic/generate" \ -H "Authorization: Bearer $AIMUSICAPI_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Generate
curl -X POST "https://api.aimusicapi.ai/api/v1/sonic/generate" \
  -H "Authorization: Bearer $AIMUSICAPI_KEY" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "rock anthem guitar", "make_instrumental": false}'
Confidence
80% confidence
Finding
https://api.aimusicapi.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal