Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Suno AI
v1.0.0Generate music via Suno with the local browser-backed flow. Use when the user wants Suno songs, instrumental tracks, lyric-based songs, Suno credit checks, o...
⭐ 0· 188·1 current·1 all-time
by@mysebbe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (Suno music generation, session recovery, credit checks) align with the included code: browser automation, cookie import/validation, and generation flows. However the code also reads a live Chromium Cookies DB, decrypts cookies, and can import cookies from a local HTTP receiver — capabilities that go beyond simple 'call Suno API' behavior. The skill does not declare any required environment variables but clearly expects an OpenRouter API key (OPENROUTER_API_KEY / OPENCLAW_OPENROUTER_API_KEY) and may read ~/.openclaw/.env; that mismatch is noteworthy.
Instruction Scope
SKILL.md directs running local scripts and references paths under ~/.suno (venv, chrome profile, cookie files). The implementation will: read/save normalized cookie headers, import raw cookie JSON, copy and read the Chromium cookie SQLite DB (snap/chromium path), decrypt encrypted cookies, launch a persistent Playwright browser profile, run a local HTTP server to receive cookies, and call Suno endpoints. Those actions involve accessing sensitive local browser artifacts and persisting JWTs/cookies to ~/.suno. The SKILL.md mentions a local cookie receiver and exporting cookies but does not mention the Chromium DB export/decrypt capability or the optional external model service used for hCaptcha solving.
Install Mechanism
No install spec — instruction-only plus bundled Python scripts. Nothing in the manifest downloads remote archives during install. The runtime will rely on a Python virtualenv (~/.suno/venv) and Playwright; the code itself will be written to disk as part of the skill bundle, which is expected for a skill with code files.
Credentials
No required env vars are declared, but the code reads environment variables and files: it looks for OPENROUTER_API_KEY or OPENCLAW_OPENROUTER_API_KEY (and also checks ~/.openclaw/.env), and the helper scripts honor SUNO_PYTHON_BIN. The OpenRouter key is used to patch an hCaptcha challenger to solve image tiles via an external model provider — this is a privileged credential that the metadata does not declare. The skill also writes sensitive artifacts (normalized cookie header, raw cookies, JWT-derived tokens, debug logs) under ~/.suno.
Persistence & Privilege
always is false and the skill does not request forced global inclusion. It persists session artifacts and a browser profile under ~/.suno, which is consistent with its purpose. The skill does not appear to modify other skills or system-wide agent settings in the files shown.
What to consider before installing
This skill implements a local browser-backed Suno automation that will access and persist your Suno session cookies/JWTs and can read your Chromium cookie DB (it even contains code to decrypt encrypted cookie values). It also can use an OpenRouter API key (from env or ~/.openclaw/.env) to perform hCaptcha solving via an external model — but the skill metadata does not declare this required credential. Before installing: (1) review the code yourself (or have a trusted developer do so), especially browser_session.py and openrouter_provider.py; (2) be comfortable that the skill will read browser cookies and write tokens/logs to ~/.suno; (3) if you do not want your local browser cookies read, do not run this skill or run it in an isolated VM/container; (4) if you provide an OpenRouter key, recognize it may be used to solve captchas and will incur remote model usage; (5) consider setting SUNO_PYTHON_BIN to a dedicated virtualenv and inspect ~/.openclaw/.env for secrets before running. The behavior is consistent with its stated purpose but contains sensitive operations and undeclared credential usage — exercise caution.Like a lobster shell, security has layers — review code before you run it.
latestvk97fdtn1f5d2b62jay6f7v9p8582t0qk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.