Back to skill

Security audit

Beat

Security checks across malware telemetry and agentic risk

Overview

Beat is advertised as a music/audio tool, but the included script mainly stores whatever command text the user enters in local logs.

Review this as a local activity logger, not a real audio management tool. Avoid entering secrets, private paths, unreleased project names, or sensitive metadata, and inspect or clear ~/.local/share/beat after testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a music/audio management tool, but the documented behavior shows it also functions as a generic logging and activity-tracking system that stores arbitrary user input under ~/.local/share/beat. This mismatch is security-relevant because users may provide sensitive prompts, file paths, or operational notes believing they are invoking audio-specific functionality, while the tool silently persists and exposes that data through search, report, and export features.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implemented behavior materially contradicts the declared skill purpose: instead of managing or analyzing music/audio files, it acts as a generic command-input logger under broad placeholder verbs. In an agent skill ecosystem, this kind of capability mismatch is dangerous because users may disclose file paths, metadata, tokens, or other sensitive operational input under the assumption the tool is performing audio work, while the script silently persists those inputs.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The header comments describe a generic utility tool, which conflicts with the advertised audio-management skill. This inconsistency increases supply-chain and user-trust risk because reviewers and users cannot reliably infer the actual behavior or intended data handling from the package metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Automatic history and activity logging introduces a privacy and data-retention risk because user actions and inputs may be stored locally without clear warning, consent, retention limits, or instructions for deletion. In the context of an agent skill, users may enter filenames, notes, or other potentially sensitive content, making undisclosed persistent logging more dangerous than ordinary transient command output.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Exporting stored data to JSON, CSV, or text can propagate sensitive locally stored history into portable files that are easier to share, upload, or mishandle, especially when the underlying store may already contain arbitrary user-provided content. While export itself is a normal feature, the absence of warning or scoping increases the chance of inadvertent disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
User-provided input is appended verbatim to persistent logs, and the tool does not clearly warn users that their arguments will be stored. In this context, users may enter sensitive file names, paths, track metadata, credentials embedded in URLs, or other private content, creating a privacy and data-retention risk that is amplified by the mismatch between claimed audio functionality and actual logging behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.