ClawHub

Suno V5 Music

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Suno music web app, but it needs review because it auto-installs packages, stores an API key in browser storage, and exposes under-scoped local server controls.

Review before installing. Use a dedicated, low-scope AceData API key, run the app only in an isolated virtual environment on localhost, avoid confidential prompts or lyrics, and clear browser localStorage/history when finished. The publisher should remove automatic unpinned pip installs, pin dependencies, disable debug mode, constrain file-serving paths, validate downloaded media, and provide safer API-key storage or an easy clear option.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises capabilities that include environment access, file read/write, network, and shell execution, but declares no permissions or trust boundaries. This creates a transparency and consent failure: users may invoke a skill that can install packages, contact external services, and write files locally without being clearly warned or gated.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This startup script silently installs Python packages during launch, which is not necessary for core music-generation logic and introduces a supply-chain execution path. Running pip at startup can fetch code from external indexes and execute package installation hooks without meaningful review, increasing risk if indexes, mirrors, or dependencies are compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The /shutdown endpoint allows any caller to terminate the Flask server without authentication or authorization checks. This is a straightforward denial-of-service issue and is unrelated to the app’s stated purpose of music generation, which makes its presence especially suspicious and dangerous.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The page exposes a one-click client-side control that sends a POST to /shutdown, allowing any user with access to the UI to terminate the service. In a web app for music generation, this is unrelated to core user functionality and creates an avoidable denial-of-service path if the backend honors the request without strong authorization.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough that a generic request to create music could trigger this skill without the user understanding that it starts a local web server and performs filesystem and network operations. Ambiguous activation increases the chance of unintended execution of a higher-risk skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Although the document later mentions the save path, the skill description does not prominently warn at the point of use that generated files are automatically written to the user's Desktop. Silent or poorly disclosed file creation can surprise users, overwrite expectations about local state, and expose sensitive content to other local users or backup/sync systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Storing an API key in browser localStorage is a privacy and security risk because localStorage is persistent and accessible to any script running in the same origin, including injected or compromised frontend code. The absence of a prominent warning prevents informed consent for credential persistence on disk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
download_file fetches arbitrary remote content from a supplied URL and writes it directly to a caller-chosen local path without validating the source, size, or content type. If an attacker can influence the URL or output path through upstream API responses or caller input, this can enable unsafe local file writes, storage exhaustion, or delivery of misleading/malicious files to disk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
save_generation automatically creates directories and persists audio, images, and lyrics to a hard-coded desktop path without any consent, disclosure, or robust filename sanitization. Because filenames incorporate partially untrusted track metadata and remote URLs determine downloaded content, this increases the risk of unexpected local data persistence, user privacy issues, and unsafe file creation behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script runs pip automatically without prior warning or user confirmation, causing code from external packages to be downloaded and executed as part of startup. In a local agent skill context, this is more dangerous because users may expect a music app but not an installer that changes the Python environment and reaches out to package repositories.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The application persists the user's API key in localStorage, where any script running in the page origin can read it, including code introduced via XSS or compromised third-party resources. Storing long-lived credentials in localStorage increases exposure because the secret survives browser restarts and is accessible to client-side JavaScript.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal