音乐生成

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent OhYesAI music-generation helper that uses an API key, sends song details to OhYesAI, and downloads the resulting MP3 locally.

Install only if you trust OhYesAI with your API key and the prompts/styles you provide. Expect outbound API calls, polling, possible account quota or billing activity, and local MP3 files saved in the working directory; avoid sensitive prompts and review downloaded files before sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to download an MP3 into the current working directory using a filename derived from remote output, without any safeguards around path handling, overwrite prevention, file size limits, or content validation. In an agent environment, this can lead to unintended local file creation, clobbering existing files, or storing untrusted remote content that is then surfaced back to the user.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The setup and API usage require placing a sensitive API key in an environment variable and sending user-provided content to a third-party service, but the skill provides no privacy, logging, or credential-handling warnings. This increases the risk of accidental key exposure in command history, logs, debugging output, or unintended disclosure of user prompts to the external provider.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal