Security audit

lyric-writer

Security checks across malware telemetry and agentic risk

Overview

This is a simple lyric-writing helper for Suno-style English songs, with no code execution, credentials, storage, or hidden access.

Before installing, note that it may activate for broad lyric-writing prompts and will default to English lyrics. Review generated lyrics for suitability and originality before publishing, but no security-sensitive permissions or runtime behaviors are apparent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description uses broad phrases such as requests to write lyrics or English lyrics, which can cause the skill to activate in situations where the user did not specifically want Suno-formatted lyric generation. This is primarily a scope-control issue rather than a direct security exploit, but unintended invocation can override user intent and route unrelated prompts into this skill.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: Mandating English-only output without user opt-in can conflict with user intent and system language expectations, especially in multilingual contexts. While not a classic security flaw, it can cause policy or UX failures by forcing a language constraint regardless of the user's request, reducing reliability and creating avoidable misrouting or noncompliance behavior.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal