Suno Cn Music

Security checks across malware telemetry and agentic risk

Overview

The skill’s capabilities appear disclosed and purpose-aligned, with the main caution being careful handling of API keys and diagnostic output.

Install only if you trust the publisher and the connected service. Use a least-privilege API key where possible, avoid pasting raw logs publicly, and redact tokens, headers, account identifiers, and response bodies before sharing troubleshooting output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to display detailed technical logs to the user, including full response headers, response bodies, error messages, and stack traces. Even with partial masking of the Authorization header, these logs can contain sensitive server details, internal identifiers, user data, tokens returned in error payloads, or infrastructure metadata that should not be exposed in normal conversation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal