Suno V5 Music
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ace-suno-v5 Version: 1.0.1 The skill bundle exhibits high-risk behaviors and poor code hygiene. Specifically, 'start_server.py' automatically executes 'pip install' to manage dependencies, which poses a supply chain risk. Additionally, 'scripts/suno_client.py' contains a hardcoded personal Windows file path ('C:\Users\86137\Desktop\music'), suggesting the code was exported from a specific user environment without proper sanitization. While the tool appears functional for its stated purpose of AI music generation via the AceData API, it includes promotional referral links (share.acedata.cloud) and lacks input validation on the local Flask server.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
While the local server is running, the download endpoint may expose files outside the intended generated-song folder to local web requests.
The route parameter 'date' is used to build the served directory without validating that it is a normal generated-music date folder. A value like '..' can point outside the intended ~/Desktop/music/YYYY-MM-DD scope, making the local server capable of serving non-generated Desktop files.
@app.route('/download/<date>/<filename>') ... directory = os.path.join(BASE_MUSIC_DIR, date) ... return send_from_directory(directory, filename, as_attachment=True)Validate the date strictly, resolve the final path under BASE_MUSIC_DIR, reject '..' and path separators, and consider adding a per-session token or other guard for local download and shutdown routes.
Installing the skill may fetch changing third-party packages from PyPI, which can introduce compatibility or supply-chain risk.
The startup script installs dependencies dynamically and without pinned versions. This is disclosed and purpose-aligned for a Flask web app, but it relies on whatever package versions are available at runtime.
subprocess.check_call([sys.executable, "-m", "pip", "install", package])
Prefer pinned dependency versions, a reviewed requirements file or lockfile, and a standard install spec instead of installing packages automatically during startup.
Anyone with access to the same browser profile and localhost origin data may be able to recover or reuse the stored AceData key.
The skill requires an AceData API key and persists it in browser localStorage. This is expected for the AceData integration, but it is still a credential that can consume the user’s provider account access or credits.
第一次访问会提示输入 AceData API Key ... API Key 会保存在浏览器本地,下次打开自动填充
Use a dedicated or limited AceData key if possible, clear the site’s localStorage when finished, and revoke the key if the browser profile is shared or compromised.
Creative prompts or lyrics you enter may be processed by the external AceData service.
The client sends generation payloads to the AceData API. This is central to the skill’s purpose, but prompts, lyrics, titles, style choices, and optional advanced parameters leave the local machine.
base_url: str = "https://api.acedata.cloud/suno" ... response = self.session.post(endpoint, json=payload)
Avoid submitting confidential lyrics or private project details unless you trust AceData’s handling of that data, and be cautious with optional callback URLs.
Prompts and generation metadata can remain on disk even after the server is closed.
The app stores recent generation history, including prompts and local output paths, in a persistent JSON file. This supports the history feature but leaves a local record after use.
HISTORY_FILE = os.path.join(os.path.dirname(__file__), 'generation_history.json') ... 'prompt': params.get('prompt', '') ... json.dump(history, f, indent=2)Do not enter sensitive prompts, or manually clear the history file/add a clear-history control if privacy matters.