三道工序 AI 写歌。用户只需给主题,全自动跑完白描起草→注入灵魂金句→完美押韵排版→Suno生成,最终直接返回试听链接。中间不停顿、不等用户确认。
Security Analysis
medium confidenceThe skill mostly does what it says (generate songs via kie.ai/Suno) but its metadata omits the required API key and the runtime instructions spawn subagents, write to /tmp, and pass full lyrics on the command line—practical privacy/exfiltration risks and an incoherent manifest.
The name/description (AI songwriter using Suno) aligns with the included script which calls api.kie.ai/Suno. However the registry metadata claims no required env vars while both SKILL.md and scripts/generate_suno.js require KIE_API_KEY (or SUNO_API_KEY). That mismatch is an incoherence between declared requirements and actual capability.
SKILL.md mandates fully autonomous execution (no user confirmation), spawning multiple subagents (sessions_spawn), writing lyrics to /tmp/suno_lyrics.txt and invoking a local Node script that sends the lyrics to api.kie.ai. Passing the entire lyrics as a command-line argument leaks the text to the system process list; using /tmp (world-readable) also exposes data. Spawning subagents can send conversation/context off to other models/agents. These behaviors are beyond a simple 'draft-helper' UX and increase privacy/exfiltration risk.
No install spec (instruction-only plus an included Node script). Low installation risk: nothing is downloaded from external URLs during install.
The script and SKILL.md require an API key (KIE_API_KEY or SUNO_API_KEY) to contact api.kie.ai, which is proportionate to the stated purpose. However the registry metadata lists no required environment variables — this omission is an inconsistency that could mislead users into installing without providing the API key. The skill accepts either KIE_API_KEY or SUNO_API_KEY; that is reasonable but should be declared explicitly in metadata.
always:false and no system-wide config modifications. The skill does spawn subagents and runs a local Node script at runtime, but it does not request persistent elevated privileges or change other skills' configurations.
Guidance
Before installing, be aware: (1) Despite registry metadata, this skill requires an API key (KIE_API_KEY or SUNO_API_KEY) and will send your lyrics/conversation to api.kie.ai — only proceed if you trust that service. (2) The skill is explicitly designed to run end-to-end without asking the user for approval; if you want manual review before generation, do not use it as-is. (3) The runtime writes lyrics to /tmp and passes them as a command-line argument to the Node script—this can expose content to other local users/processes and the system process list. (4) Confirm the intended callback URL (script currently uses a placeholder https://example.com/callback) and ask the publisher to clarify whether that will be changed. (5) Ask the publisher to update the registry metadata to declare required env vars, provide a homepage/source repo, and (ideally) modify invocation to avoid passing secrets/plaintext via command-line and to require explicit user confirmation. If you proceed, restrict the API key's permissions, use a throwaway key for testing, and rotate it after evaluation.
Latest Release
v1.0.0
Initial release: 3-stage autonomous lyrics pipeline (raw imagery → soul injection → perfect rhyming) + Suno V5 generation via kie.ai API
Popular Skills
Published by @jason-hou-pe on ClawHub
