Security audit

discord-music-sync

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple karaoke-style lyric timing helper whose file and Discord actions are disclosed and aligned with its stated purpose.

Before installing, confirm you are comfortable letting the agent read the lyrics file you provide, write playback files and generated audio into your chosen output folder, use Minimax TTS for lyric text, and post timed lyric lines to the intended Discord channel when you ask it to play them.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill instructs the agent to read lyric input files and write audio outputs and playback manifests to disk, but it does not declare corresponding permissions. Undeclared file access reduces transparency and can bypass policy or user expectations, especially because it writes to a shared directory accessible by another component.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal