revol-suno-headless-skill
MaliciousAudited by ClawScan on May 10, 2026.
Overview
This skill is built to automate Suno by bypassing Google and hCaptcha protections while collecting and persisting account cookies, which can put your accounts at risk.
Do not install this as-is. It asks for highly sensitive Google/Suno login material, stores reusable session cookies, and is explicitly designed to bypass anti-automation and CAPTCHA protections. If you already used it, revoke active sessions, rotate any shared API keys or passwords, and delete the stored ~/.suno cookies/profile files.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill may bypass service security controls, trigger account locks, or violate provider policies while automating actions on the user's Suno/Google account.
The documented workflow explicitly evades anti-automation checks and automates CAPTCHA solving, which goes beyond ordinary browser automation.
通过 Xvfb 虚拟显示...运行 Chrome GUI 模式,绕过 Google 反自动化检测...创建歌曲时 Suno 会弹出验证码,需要 Gemini API Key 来自动解决 hCaptcha 验证码
Do not use this bypass workflow. Prefer official APIs or normal user-driven login and CAPTCHA handling; remove anti-detection and automated CAPTCHA-solving behavior.
A password or cookie file can grant account access; anyone with access to the server or files may be able to reuse the user's Suno/Google session.
The skill asks for primary Google credentials or transferable session cookies and uploads them to a server, while the registry declares no primary credential.
请提供:1. Gmail 邮箱地址 2. Gmail 密码...Cookie 导入(🌟 推荐!完美绕过 Google 安全验证)...scp <本地导出的Cookie文件> user@your-server:/root/suno_cookie/suno_cookies.json
Do not provide Gmail passwords or full session cookies to the skill. If already used, revoke sessions, rotate relevant credentials, and remove stored cookie/profile files.
Users may provide sensitive login material under a false sense that no reusable authentication data is retained.
This reassurance is misleading because the artifacts show persistent cookie/browser-profile storage and use of Google/Suno/Gemini services during the workflow.
你的凭据仅用于本次登录,不会被存储或传输到任何第三方。
Remove the misleading privacy claim and clearly disclose all stored session material, external services used, command-line exposure risks, and cleanup steps.
This can break or alter other tools using the same package and makes the installed environment harder to audit or restore.
The patch rewrites an installed third-party package in place and broadens hCaptcha frame matching, affecting the local Python environment outside this one script.
CHALLENGER_FILE = mod.__file__...with open(CHALLENGER_FILE, "w") as f: f.writelines(new_lines)...contains(@src, '/captcha/v1/')
Avoid modifying site-packages in place. Use a pinned, isolated virtual environment or a reviewed fork, and provide a clear rollback path.
Future invocations can act through the stored session without re-entering credentials, and compromise of the host can expose account access.
The skill stores reusable cookies and a persistent browser profile, enabling continued account automation after the original login.
DEFAULT_COOKIE_FILE = os.path.expanduser("~/.suno/cookies.json")
DEFAULT_USER_DATA_DIR = os.path.expanduser("~/.suno/chrome_gui_profile")Require explicit user approval before each account action, provide a cleanup command for ~/.suno cookies/profile data, and avoid long-lived reusable sessions when possible.