Voice Note To Midi

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward audio-to-MIDI skill, with ordinary installer risks around third-party dependencies and an optional PATH change.

Before installing, review the Basic Pitch hum2midi script if you need to download it manually, and consider pinning or reviewing the Python dependencies on sensitive machines. Only accept the PATH change if you are comfortable having ~/melody-pipeline affect future terminal command lookup; remove the added export line from your shell profile to undo it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script persistently modifies the user's shell startup file to add the install directory to PATH, which changes the user's execution environment beyond the immediate setup task. While this is a common convenience feature in installers, it can create lasting trust and execution-surface changes, especially if that directory later contains replaced or malicious executables.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The instructions append an export line to ~/.bashrc, creating a persistent environment change without clearly warning the user that future shells will be affected. This is not inherently malicious here, but silent persistence can surprise users, interfere with existing PATH ordering, and make rollback harder.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal