Elevenlabs Music

Security checks across malware telemetry and agentic risk

Overview

The music-generation tool itself is straightforward, but its documentation includes an unrelated off-platform paid-service solicitation.

Install only if you are comfortable using your ElevenLabs API key with this script, sending prompts to ElevenLabs, and potentially using paid quota. Treat the WeChat/Telegram custom-music advertisement as separate from the skill's reviewed API functionality and avoid off-platform payments or private contact unless you independently trust the publisher.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Low

Confidence: 79% confidence
Finding: The skill documentation embeds unrelated paid custom-music sales and off-platform contact solicitation that is not part of the declared API-driven functionality. This can socially engineer users into bypassing platform controls, sharing personal contact details, or engaging in unvetted transactions outside the intended skill boundary.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal