Back to skill
Skillv1.1.0
VirusTotal security
SunoMaker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:38 AM
- Hash
- 3f39ab600826aee896fa65e07aa2ff1f5afa3093537abbf7f1b7bd78d3d9c46b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sunomaker Version: 1.1.0 The skill is classified as suspicious due to several vulnerabilities, primarily related to credential handling and system modification. The `suno_login.py` script passes Gmail credentials as command-line arguments, exposing them in process lists. The `GEMINI_API_KEY` is stored in plaintext in `~/.suno/.env`, and the `SKILL.md` troubleshooting section suggests `cat`ing this file, creating a prompt injection risk for API key exfiltration. Additionally, `patch_hcaptcha.py` directly modifies the source code of an installed Python library, which is a risky practice for system stability and maintainability. Debugging screenshots saved to `/tmp/suno_debug_*.png` could also expose sensitive information. While these are significant flaws, there is no clear evidence of intentional malicious behavior like unauthorized data exfiltration to external endpoints, persistence mechanisms, or obfuscated harmful payloads; the code's functionality aligns with its stated purpose of automating Suno AI music generation.
- External report
- View on VirusTotal