revol-suno-headless-skill

Suno AI 音乐创作助手（无头 Linux 服务器专用版）— 自动登录、创建歌曲、下载音频。通过 Xvfb 虚拟显示在无 GUI 的 Linux 云服务器上运行。当用户要求生成音乐、写歌、创作歌曲、用 Suno 生成 AI 音乐时使用。

What to consider before installing/use 1) Credentials: Never hand your primary Google/Gmail password or upload full browser cookies for your real account to an untrusted server. The export tool produces a 'full' cookie file that can include Google session tokens — importing it on a server can give that server access to other Google services. If you must use this skill, prefer the 'slim' cookie export (only Suno-related cookies) or use a throwaway Google account. 2) Avoid sending passwords to servers: The skill allows two login modes. Do NOT provide your Gmail password to the server unless you fully trust and audited the code; use local export/import of cookies performed on your desktop instead, and verify the exported cookie file contains only what you expect. 3) GEMINI_API_KEY and undeclared secrets: The skill requires a Gemini API key for hCaptcha solving but the registry metadata doesn't declare this. Treat that key as sensitive — store it only in an isolated environment and consider restricting or revoking it after use. 4) Code modifies installed packages: patch_hcaptcha.py edits the installed hcaptcha_challenger package in place. This is intrusive and can persist changes across environments. Inspect that patch file and the target package before running; consider running in an ephemeral VM or container. 5) Persistence and cleanup: The skill writes persistent data to ~/.suno (cookies, profile, logs). After use, delete ~/.suno and revoke any active sessions in your Google account. If you imported cookies, rotate/revoke the session and consider a password reset. 6) Safer alternatives: Run the entire workflow inside an isolated VM/container you control, use a disposable Google account, or run export_cookies.py locally and manually prune the cookie file to include only exact Suno domains before uploading. 7) What would reduce risk: explicit registry declaration of required env vars (GEMINI_API_KEY), a documented option to only export/import Suno domain cookies (and tooling to verify), avoiding in-place patching of site-packages (or shipping a forked library), and a clear statement about which files are persisted and where. If the author provides a minimized cookie-only import (Sun o-only cookies) and avoids modifying third-party packages, my concern level would drop. If you are not comfortable with these risks, do not install/run this skill on systems containing your real accounts or sensitive data.

Type: OpenClaw Skill Name: suno-headless-skill Version: 1.0.6 The skill is classified as suspicious due to several risky practices and vulnerabilities, despite its stated purpose appearing benign. Key indicators include: 1) The `suno_login.py` script passes Gmail credentials directly as command-line arguments, which are visible in process lists (`ps aux`), posing a credential exposure vulnerability. 2) The `patch_hcaptcha.py` script directly modifies the source code of a third-party Python library (`hcaptcha-challenger`), which is an unconventional and fragile practice that can compromise system integrity and stability. 3) The use of `sudo` for installing system dependencies and the `--no-sandbox` flag for Chrome in `suno_create_song.py` and `suno_login.py` introduce elevated privileges and reduced browser security, respectively. While these actions are intended to enable the skill's functionality (automating Suno AI on a headless server), they represent significant security risks without clear malicious intent.