suno-music.skill

ReviewAudited by ClawScan on May 10, 2026.

Overview

This mostly looks like a Suno music-generation API wrapper, but it has an under-documented default callback that could send generation results to sunoapi.org, especially when a custom API endpoint is used.

Before installing, be comfortable sending prompts, lyrics, and any provided audio URLs to the Suno API, and use a dedicated API key. Be cautious with custom SUNO_BASE_URL use until the callback behavior is clarified or changed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Generated song results, links, or related metadata could be sent to a default callback destination the user did not explicitly choose.

Why it was flagged

The script lets the API base URL be changed but still defaults asynchronous callback notifications to a fixed sunoapi.org URL. That callback behavior is not explained in SKILL.md and could expose generation result metadata or links outside the endpoint the user intended to use.

Skill content

BASE_URL = os.getenv("SUNO_BASE_URL", "https://api.sunoapi.org") ... "callBackUrl": callback or "https://sunoapi.org"

Recommendation

Document the callback behavior clearly, expose a user-visible callback option, and avoid setting a fixed callback URL by default—especially when SUNO_BASE_URL is overridden.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill can use the user's Suno account and may consume API credits when generating music.

Why it was flagged

The skill requires a bearer API key for Suno. This is expected for the integration, but it gives the script authority over the user's Suno API account.

Skill content

export SUNO_API_KEY="your_key_here" ... Auth: Bearer token via `SUNO_API_KEY`

Recommendation

Use a dedicated or limited Suno API key if possible, monitor credit usage, and revoke the key if you stop using the skill.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If invoked, these extra commands could upload or transform user-selected audio URLs, query account credits, or create additional Suno-side artifacts.

Why it was flagged

The helper script documents additional Suno API actions beyond the SKILL.md command table. They are music-related and not shown to run automatically, but they broaden what the tool can do.

Skill content

suno.py upload-cover --url "https://..." ... suno.py upload-extend --url "https://..." ... suno.py credits ... suno.py boost-style --content

Recommendation

Review and limit use to the commands you intend, and confirm before running actions that upload content or spend account credits.