music-generation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
- DATA_EXFILTRATION (HIGH): Potential for arbitrary local file read and exfiltration via user-controlled parameters.
- Evidence (scripts/suno.py): The script implements a
--lyrics-file(or-f) argument. When used, the script performs an unvalidated file read:with open(args.lyrics_file, "r") as f: lyrics = f.read(). - Exfiltration Vector: The content of the read file is then assigned to the
lyricspayload and sent via a network POST request tohttps://api.suno.ai/v1/generations. - Impact: An attacker could use a prompt to trick the agent into reading sensitive system files (e.g.,
~/.ssh/id_rsa,~/.aws/credentials) and sending the contents to the external API service. - CREDENTIALS_UNSAFE (MEDIUM): Broad and potentially unsafe searching for environment files.
- Evidence (scripts/suno.py, scripts/udio.py): The
load_env()function searches for.envfiles in~/.config/skills/,~/, and iteratively walks up 10 parent directories from the script location. - Impact: Automatically searching parent directories for secrets is a risky pattern that can lead to the accidental ingestion and exposure of credentials from unrelated projects on the same filesystem.
Recommendations
- AI detected serious security threats
Audit Metadata