revol-suno-skill
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Suno or Google account could be flagged, challenged, or suspended, and the agent may be used to bypass anti-abuse protections.
The stated workflow is built to solve CAPTCHA challenges and evade bot-detection controls, not just automate ordinary user-visible steps.
自动解决 hCaptcha 验证码 ... hcaptcha-challenger + Gemini API 自动解决 hCaptcha 验证码 ... 通过 Google 反自动化检测
Do not install skills that automate CAPTCHA or anti-bot bypass. Use manual login/challenge completion or an official approved API.
A Gmail password entered into an agent command may be exposed in terminal logs, shell history, process listings, or to anyone reviewing the agent transcript.
The skill asks the user to disclose a primary Google account password to the agent and passes it as a command-line argument, creating high-impact credential exposure.
必须先向用户询问:... Gmail 邮箱地址 ... Gmail 密码 ... python3 suno_login.py --email "<用户邮箱>" --password "<用户密码>"
Do not provide a primary Google password to the skill. Use official browser-mediated OAuth where the user enters credentials directly, or use a dedicated low-risk account.
Anyone or any process with access to those local files may be able to reuse the Suno/Google session without re-entering a password.
The login code persists browser profile data and session cookies locally, which can act as reusable account access.
DEFAULT_COOKIE_FILE = os.path.expanduser("~/.suno/cookies.json") ... DEFAULT_USER_DATA_DIR = os.path.expanduser("~/.suno/chrome_gui_profile") ... json.dump(cookies, f, indent=2)Require explicit consent for session persistence, store files with restrictive permissions, provide a cleanup/revocation path, and prefer a dedicated account.
This may break other tools, alter CAPTCHA-handling behavior outside this skill, and become unpredictable as dependency versions change.
The patch script modifies the installed hcaptcha-challenger package in place, creating unscoped side effects in the user's Python environment.
CHALLENGER_FILE = mod.__file__ ... with open(CHALLENGER_FILE, "w") as f: f.writelines(new_lines)
Do not patch site-packages in place. Pin dependencies, vendor a reviewed copy, or use a scoped extension mechanism with a clear restore/uninstall step.
A user may provide sensitive credentials believing no lasting login material remains, when the skill intentionally preserves session state.
The user-facing assurance minimizes credential risk while the same artifact describes persistent cookie/localStorage retention, which is credential-like account access.
你的凭据仅用于本次登录,不会被存储或传输到任何第三方 ... persistent context 保持浏览器状态(cookies、localStorage)
State clearly that session cookies and browser profile data are stored, explain how long they persist, and provide safe cleanup instructions.