Back to skill

Security audit

Ai Songwriter

Security checks across malware telemetry and agentic risk

Overview

The skill appears to make songs as advertised, but its broad activation phrases and file-sending workflow need review before installation.

Install only if you are comfortable with a skill that can search externally, generate audio files, and send them to external targets. Before using it, require a clear confirmation step for any send action, including the exact destination and file being sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains short, common phrases that can match ordinary user requests and invoke the skill unexpectedly. Because this skill can perform external searches, generate files, and send audio to targets, accidental activation can lead to unintended data processing or actions the user did not clearly authorize.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes a file-sending workflow to external targets but does not require an explicit user-facing consent warning immediately before transmission. In context, the skill may generate and send audio derived from user-provided or researched content, so silent or assumed delivery creates a real risk of unintended disclosure, misdelivery, or exfiltration to third-party destinations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.