Lyric Sense

Security checks across malware telemetry and agentic risk

Overview

The lyric viewer is coherent, but the bundled local API has broad file, database, network, and metadata-changing powers that are not adequately scoped or disclosed.

Use the static lyric viewer only if you are comfortable sending song and artist searches to third-party services. Treat the bundled LrcApi server as a high-privilege local service: do not expose it publicly, run it with authentication and minimal filesystem access, and avoid using its build scripts or metadata/file-management APIs unless you have reviewed and isolated them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (29)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 安装Pyinstaller及主程序依赖 # 必须在import项目中的模块之前执行，否则会出现找不到模块的错误 print("Installing dependencies...") subprocess.run("pip install -r requirements.txt", shell=True) subprocess.run("pip install pyinstaller", shell=True) from mod.args import args
Confidence: 92% confidence
Finding: subprocess.run("pip install -r requirements.txt", shell=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 必须在import项目中的模块之前执行，否则会出现找不到模块的错误 print("Installing dependencies...") subprocess.run("pip install -r requirements.txt", shell=True) subprocess.run("pip install pyinstaller", shell=True) from mod.args import args
Confidence: 89% confidence
Finding: subprocess.run("pip install pyinstaller", shell=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: options = generate_add_data_options("src") command = f"pyinstaller -F -i logo.png {options} app.py -n {PACK_NAME}" subprocess.run(command, shell=True)
Confidence: 95% confidence
Finding: subprocess.run(command, shell=True)

eval() call detected

High

Category: Dangerous Code Execution
Content: if "WM/Picture" in afile.mfile.tags: p = afile.mfile.tags["WM/Picture"][0].value if not isinstance(p, bytes): p = eval(p) try: artwork = Artwork(p) except OSError:
Confidence: 99% confidence
Finding: p = eval(p)

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The README's feature summary presents the service primarily as a read-oriented lyrics/cover API, but later documents a write-capable /tag endpoint that modifies music file metadata. This omission can mislead operators into exposing or deploying the service without realizing it can alter local files, increasing the risk of unintended file tampering when the API is reachable or authentication is unset.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The /db custom SQL endpoint accepts user-supplied SQL and passes it directly to sqlite3 cursor.execute() with no restriction to read-only statements. Any caller with rw permission can run arbitrary database commands, including data destruction, schema modification, or extraction of sensitive data, making this effectively a built-in SQL execution backdoor.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The download endpoint accepts an arbitrary URL and arbitrary destination path, then performs a server-side request and writes the response to disk. This enables SSRF against internal services and arbitrary file write within the privileges of the application, which is especially dangerous in an authenticated file-management API with no allowlist or path restrictions.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The list endpoint allows callers to supply any filesystem path and returns directory contents and metadata, enabling arbitrary filesystem enumeration. Even with authentication, this exposes sensitive operational information such as filenames, permissions, ownership, and timestamps outside any clearly bounded application scope.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The /translate endpoint accepts a caller-provided token and uses it to instantiate an OpenAI client for outbound requests. That gives this lyrics-focused service an unnecessary proxy capability to arbitrary configured AI backends, which can be abused for undisclosed data egress, cost shifting, or use of the application as a relay to external services.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The file_viewer endpoint accepts a client-controlled path and passes os.path.dirname(filename) and os.path.basename(filename) directly to send_from_directory. Because the route uses <path:filename> and only checks a loose extension whitelist, an authenticated user can request arbitrary readable files on the server that happen to end in allowed extensions, enabling path traversal and unauthorized file disclosure outside the intended media/library scope.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This is a real authorization bypass. The has_permission helper returns true for any non-empty supply value, so any configured token or auth group with any permission string is treated as sufficient for every requested permission, including write or admin-like actions. In this auth context, that makes permission separation ineffective and can allow users with limited access to perform privileged operations.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: This helper parses embedded picture metadata but evaluates the tag payload as Python code, turning routine file inspection into code execution. In a media-tagging or library-scanning context, simply opening or indexing an attacker-supplied ASF/WMA file could trigger execution without any further user action.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad, generic music-related terms such as '歌词' and '播放音乐', which can cause the skill to activate during ordinary conversation or when the user intended a different music function. In this skill's context, unintended activation is risky because it may send user queries to an external lyrics API by default, creating privacy and UX issues.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill states that a free public API is used by default but does not clearly warn users that song/artist queries will be transmitted to a third-party service. This matters because lyric searches can reveal listening habits or preferences, and users are not given informed consent before external transmission.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: User-provided song and artist queries are sent to third-party services, including a public CORS proxy, which exposes user input and browsing behavior to additional external operators. While the data is not highly sensitive by default, the undisclosed relay through corsproxy.io increases privacy and integrity risk because the proxy can log, inspect, or manipulate responses.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README documents a /tag endpoint that modifies music file metadata on disk, but it does not prominently warn users that this is a write operation against host-mounted files. In this skill context, the Docker examples mount the music library into the container, so an exposed or weakly protected endpoint could let callers alter media metadata across the library.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README documents a POST /tag interface that accepts an arbitrary file path and writes title, artist, album, and lyrics metadata, but it does not warn that this operation mutates files on disk or emphasize the security implications. In context, the service may be deployed with a host music directory mounted into Docker and authentication can be disabled, so undocumented write semantics materially raise the chance of unauthorized or accidental media file modification.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The endpoint forwards user-supplied query parameters to an external service over plain HTTP, disclosing potentially sensitive search terms and allowing interception or tampering in transit. Because this is a server-side authenticated endpoint, users may not realize their input is being relayed off-box to a third party.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The fallback logic retrieves arbitrary cover URLs returned by search results, causing the server to make outbound requests to third-party locations. If the search source is untrusted or can be influenced, this becomes an SSRF-like primitive and also leaks server identity/IP to external hosts without any validation or disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The endpoint transmits user-supplied lyrics to an external AI service and may also process a user-supplied token, but this file shows no consent flow, warning, or data-handling control around that transfer. In a lyrics service, this creates a meaningful privacy and transparency problem because submitted content may include copyrighted, private, or sensitive text that is silently sent off-platform.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: In debug mode, the code logs `args('auth')`, which may expose authentication credentials, tokens, or secrets to console and rotating log files. Because logs are often broadly accessible to operators, support staff, or attackers after host compromise, this increases the risk of credential disclosure and follow-on unauthorized access.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script installs packages automatically as a side effect of running the build, without explicit user consent, review, or safety checks. In a build skill context this is especially risky because users may expect packaging behavior, not network package installation and execution of dependency setup code.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Using eval() in metadata parsing is unsafe regardless of warning text, but here it is especially dangerous because file metadata is commonly considered passive input. This creates a high-risk attack surface where malicious media files can exploit applications that read tags, including background scanners or importers, leading to arbitrary code execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code sends user-supplied search terms in a URL over plain HTTP to `mobilecdn.kugou.com`, which exposes the query to interception and modification by any on-path attacker. Because the terms may contain sensitive listening preferences or private media metadata, and the response can be tampered with, this is a real confidentiality and integrity issue rather than a harmless implementation detail.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The lyrics download is performed over plain HTTP, so the downloaded content can be observed or altered in transit by a network attacker. Since the response is then base64-decoded and processed as trusted lyric text, an attacker could inject misleading or malicious content into downstream consumers, creating both privacy and integrity risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal