Trust Assessment
suno-browser-songmaking received a trust score of 70/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 2 high, 1 medium, and 0 low severity. Key findings include Broad Browser Access via 'Chrome relay', Potential Credential Handling/Harvesting, Access to Download/Share Artifacts.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Broad Browser Access via 'Chrome relay' The skill explicitly mentions using 'Chrome relay if the user is already logged in.' This implies the skill intends to operate within the user's primary browser session, granting it potentially broad access to browser data (cookies, local storage, other open tabs) and the ability to perform actions on the user's behalf. This is a significant security risk for data exfiltration and unauthorized actions if the skill is compromised or misused. Restrict browser automation to an isolated, sandboxed environment that cannot access the user's primary browser session or other sensitive data. If 'Chrome relay' is absolutely necessary, implement strict access controls and user consent mechanisms for each action, and clearly document the scope of access. | LLM | SKILL.md:22 | |
| HIGH | Potential Credential Handling/Harvesting The skill states, 'Otherwise use the isolated OpenClaw browser and ask for login if needed.' This indicates the skill may prompt the user for login credentials (e.g., username and password) for Suno. If the skill directly handles or stores these credentials, it poses a significant credential harvesting risk. The method of handling these credentials (e.g., direct input, secure token exchange, browser's built-in password manager) is critical and not specified, leading to a high potential for insecure practices. Avoid direct handling of user credentials. Instead, leverage secure authentication mechanisms like OAuth, API tokens, or browser-managed sessions. If direct login is unavoidable, ensure credentials are never stored, are transmitted securely (e.g., directly to the service via a secure channel, not through the skill's intermediate storage), and are immediately forgotten after use. Clearly document the credential handling process. | LLM | SKILL.md:22 | |
| MEDIUM | Access to Download/Share Artifacts The skill mentions, 'Provide the Suno link(s) and any download/share artifacts available.' This implies the skill has the capability to access and potentially transfer files generated or downloaded within the browser session. While providing links is generally safe, accessing and handling 'download/share artifacts' could lead to unintended data exfiltration if sensitive information is present in these artifacts and they are mishandled or transferred to an insecure location. Clearly define and restrict the types and locations of 'download/share artifacts' the skill can access. Ensure any retrieved artifacts are handled securely, validated for content, and only shared with explicit user consent and to trusted destinations. | LLM | SKILL.md:37 |
Scan History
Embed Code
[](https://skillshield.io/report/eef0656a3e08487c)
Powered by SkillShield