suno-engineer

SUSPICIOUS. The skill's local file access and prompt-editing behavior fit its stated music-prompt purpose, and there is no clear credential theft or exfiltration path. However, it requires a custom MCP tool with only partial same-publisher evidence and no verifiable public release/install trail in the provided evidence, so the overall security risk remains high under the unverifiable-dependency rule.