SunoMaker

Automated Suno AI Music Generation - Create professional songs without manual intervention. Headless browser automation for servers with Gemini 3.1 Pro integ...

This skill mostly does what it promises (automating Suno via Playwright), but it asks you to handle highly sensitive authentication material and to run a source-patching script. Key things to consider before installing or running: - Do not give your Gmail password to third-party scripts unless you fully trust and audit them; prefer OAuth flows and official APIs. The skill offers cookie import and direct Gmail password login — both expose full account access risk. - The skill asks you to export browser cookies (and the export script can save full cookies). Those cookies can include Google authentication tokens. Treat exported cookie files as extremely sensitive; do not reuse them for other purposes. - The SKILL.md/metadata do not declare the GEMINI_API_KEY environment variable even though the scripts require it for hCaptcha solving. This is a sensitive credential (access to Google AI) you must supply explicitly. The mismatch between metadata and instructions is an incoherence. - patch_hcaptcha.py edits an installed third-party package (hcaptcha-challenger) in-place. Modifying site-packages is high-risk: it can introduce persistent behavior, disable future updates, or create a covert backdoor. Only run this in an isolated environment (throwaway VM or container) and inspect the target file first. - If you still want to try it: run everything in an isolated VM or disposable container, use an account specifically created for this testing (not your primary Google account), and review the patched file contents before and after. Prefer the cookie 'slim' export limited to suno.com if you must use cookies. Consider contacting Suno for official automation/API options instead of bypassing captchas/security checks. Confidence: medium — the code shows clear risky behaviors and metadata/instruction mismatches but does not contain obvious network exfiltration to unknown hosts; additional runtime inspection (full suno_login.py/suno_create_song.py logic) could raise or lower risk assessment.

Type: OpenClaw Skill Name: sunomaker Version: 1.1.0 The skill is classified as suspicious due to several vulnerabilities, primarily related to credential handling and system modification. The `suno_login.py` script passes Gmail credentials as command-line arguments, exposing them in process lists. The `GEMINI_API_KEY` is stored in plaintext in `~/.suno/.env`, and the `SKILL.md` troubleshooting section suggests `cat`ing this file, creating a prompt injection risk for API key exfiltration. Additionally, `patch_hcaptcha.py` directly modifies the source code of an installed Python library, which is a risky practice for system stability and maintainability. Debugging screenshots saved to `/tmp/suno_debug_*.png` could also expose sensitive information. While these are significant flaws, there is no clear evidence of intentional malicious behavior like unauthorized data exfiltration to external endpoints, persistence mechanisms, or obfuscated harmful payloads; the code's functionality aligns with its stated purpose of automating Suno AI music generation.