SunoMaker
MaliciousAudited by ClawScan on May 10, 2026.
Overview
This skill is designed to bypass Google and hCaptcha anti-bot protections while handling Google login credentials and session cookies.
Avoid installing this skill. It is built around bypassing Google and hCaptcha protections and requires sensitive Google/Suno account access. If you already used it, delete ~/.suno cookie/profile data, remove uploaded cookie files, rotate or revoke affected credentials, and review active Google/Suno sessions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using it could violate service anti-abuse controls, trigger account restrictions, and normalize automated bypass of security checks.
The skill is not merely automating a browser; it explicitly makes anti-automation and CAPTCHA bypass part of the normal workflow.
Uses Xvfb Virtual Display to run Chrome in GUI mode without a monitor, bypassing Google's anti-automation systems ... Gemini API Key required (for automatic hCaptcha solving)
Do not install or run this skill; use official Suno/API workflows that do not bypass CAPTCHA or anti-bot systems.
A compromised agent, terminal history, or server could expose the user's Google account password.
The skill asks the agent/user to provide full Google account credentials and passes the password on the command line, which can expose it through shell history or process listings.
Please provide: 1. Gmail address 2. Gmail password ... python3 suno_login.py --email "<user-email>" --password "<user-password>"
Never provide a Gmail password to an automation skill; use official OAuth flows or service-specific tokens with limited scope.
Anyone who obtains the cookie file may be able to reuse the user's logged-in Suno/Google session.
The cookie exporter saves the full browser cookie set, including Google login state, for transfer to a server.
# 完整版:所有 Cookie(包含 Google 登录状态等,更可靠) ... json.dump(cookies, f, indent=2, ensure_ascii=False)
Do not export or upload full login cookies; if already used, delete the cookie files and revoke active sessions.
Future Python tools using the same package may run altered CAPTCHA-handling code, and package upgrades may behave unpredictably.
The skill modifies an installed third-party package's source code to broaden hCaptcha handling, making the local Python environment harder to trust or reproduce.
"""修改 hcaptcha-challenger 源码以支持 Suno 自定义 hCaptcha 域名""" ... with open(CHALLENGER_FILE, "w") as f: f.writelines(new_lines)
Avoid skills that patch installed dependencies; use pinned, reviewed packages and isolated environments.
Running the script may change the local Python/browser environment without a separate install step.
When Playwright is missing, the runtime login script can install packages and browser binaries rather than only failing with setup instructions.
subprocess.check_call([sys.executable, "-m", "pip", "install", "playwright"]); subprocess.check_call([sys.executable, "-m", "playwright", "install", "chromium"])
If any similar tool is used, run it only in a disposable virtual environment or container after reviewing dependencies.
Users may be persuaded to share high-value session cookies or credentials because the risky path is framed as safe and preferred.
The wording positively markets bypassing security checks and transferring cookies as the recommended path, which can lead users to underestimate the account risk.
Method A: Cookie Import (🌟 Recommended! Perfectly bypasses Google security checks) ... Completely bypasses Google's security checks.
Treat any skill that advertises bypassing security checks as unsafe, even if it claims the process is convenient.