Is machinesbefree/suno-browser-songmaking safe?

https://github.com/openclaw/skills/tree/main/skills/machinesbefree/suno-browser-songmaking

94
SAFE

The suno-browser-songmaking skill is a straightforward browser automation workflow for Suno music generation. The skill content is free of prompt injection, hidden instructions, executable code, and data exfiltration logic. All canary files remained intact throughout the audit, and network activity during installation was limited to the expected GitHub clone and pre-existing OS services. The only notable concerns are a minor packaging defect (wrong skill name in lock.json) and the inherent ambient access that Chrome relay mode grants to the user's live browser session, which is disclosed as the skill's intended mechanism.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 94/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Mismatched lock.json — references wrong skill -5

The .clawhub/lock.json file inside the skill package lists 'academic-research-hub' as the installed skill rather than 'suno-browser-songmaking'. This indicates the file was likely copied from another skill's workspace and not updated. It is a packaging/hygiene defect, not a security issue, but suggests insufficient QA on the published artifact.

INFO Chrome relay accesses live authenticated browser session -4

The skill's Step 3 instructs the agent to 'Prefer Chrome relay if the user is already logged in.' This means the agent operates inside the user's real browser profile, with access to active Suno session cookies and any other open tabs/sessions. This is the stated purpose of the skill and requires user consent to attach the tab, but users should be aware the agent has ambient access to their authenticated session.

INFO Hard-coded persona and style defaults bypass user confirmation -2

The runbook embeds specific default values ('Kara Codex' persona, specific style tags, song title 'Anchor Protocol') that would be applied without per-use user confirmation if the agent follows the runbook literally. This is aesthetically opinionated and could produce unexpected outputs, but poses no security risk.

INFO Expected network activity only during install 0

All observed network connections during clone are attributable to the git clone operation (GitHub HTTPS) and pre-existing OS background services (Ubuntu apt check, Canonical HTTPS). No novel third-party endpoints were contacted. Connection state before and after install is identical except for an SSH session rotation.