Back to skill

Security audit

suno-music.skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Suno music-generation skill, but it exposes broader remote API and local-file upload capabilities than the user-facing description clearly explains.

Review before installing. Use it only if you are comfortable giving it a Suno API key and sending prompts, lyrics, task data, and explicitly selected media files to a remote Suno-compatible service. Keep SUNO_BASE_URL unset or pinned to the intended trusted endpoint, and do not use upload-file with sensitive local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Tainted flow: 'BASE_URL' from os.getenv (line 37, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def _post(path: str, data: dict) -> dict:
    r = requests.post(f"{BASE_URL}{path}", headers=_headers(), json=data, timeout=120)
    r.raise_for_status()
    return r.json()
Confidence
92% confidence
Finding
r = requests.post(f"{BASE_URL}{path}", headers=_headers(), json=data, timeout=120)

Tainted flow: 'BASE_URL' from os.getenv (line 37, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def _get(path: str, params: dict = None) -> dict:
    r = requests.get(f"{BASE_URL}{path}", headers=_headers(), params=params, timeout=30)
    r.raise_for_status()
    return r.json()
Confidence
92% confidence
Finding
r = requests.get(f"{BASE_URL}{path}", headers=_headers(), params=params, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents use of environment variables and outbound network access to a third-party API, but no declared permissions are present. This creates a transparency and governance gap: users or orchestrators may invoke a capability-bearing skill without clear authorization boundaries or review of what secrets and network actions it can use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is limited to generating songs and checking status, but the underlying capability set appears substantially broader, including file uploads, media transformation, account/credit checks, and other remote operations. This mismatch is dangerous because users and reviewers may consent to a simple music-generation skill while the implementation can transmit local content or perform unrelated external actions they did not anticipate.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill exposes a CLI path that can read any local file path and upload it to an external domain (sunoapiorg.redpandaai.co), which is broader than the stated music-generation purpose and can be abused for local file exfiltration. Even though it is user-invoked, agent skills often receive parameterized inputs from higher-level orchestration, so an attacker may coerce the agent into uploading sensitive local files such as tokens, configs, or documents. The mismatch with the manifest makes this more dangerous because users may not expect local file transfer capability.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger language is broad enough to match many ordinary requests about music creation or audio production, increasing the chance of over-invocation. In practice, that can cause unintended routing to a networked third-party skill, leading to unnecessary data sharing or execution of capabilities when a simpler local response would have sufficed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that prompts, lyrics, style tags, and titles are sent to an external API, but it does not prominently warn users that their content will leave the local environment. This is a privacy and consent issue, especially because lyrics or prompts may contain sensitive, proprietary, or personal information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.