Security audit

Musik Tools AI Music Companion

Security checks across malware telemetry and agentic risk

Overview

This is a document-only music helper skill with disclosed links and no executable behavior, credential use, persistence, or privileged access.

Before installing, expect this skill to help structure music searches, lyrics, pitch workflows, and AI music prompts. It includes external links to Musik Tools and GitHub resources, so users should review those sites separately before entering recordings or personal information there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: This manifest lists generic trigger phrases such as "music finder", "song finder", and "ai music" without any narrowing context or exclusion conditions. Because this is a manifest file, broad invocation keywords can overlap with ordinary user requests about music and cause the skill to activate when the user did not intend to invoke it.

Natural-Language Policy Violations

Low

Confidence: 80% confidence
Finding: The manifest sets the language to "en", which can indicate an English-only constraint, but there is no accompanying note that this is optional, user-selected, or justified by a region-specific purpose. Under the policy, forcing a specific language without opt-in can be a natural-language policy concern.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal