Music Video Generator

Security checks across malware telemetry and agentic risk

Overview

This skill does not show theft or destructive behavior, but it presents mock music-video and account results as real while asking for an API key.

Review before installing. Treat this as a mock/demo unless the publisher updates it to clearly label simulated outputs or implements real documented API calls. Do not provide a production Freebeat API key; if testing, use a disposable low-privilege key and verify the exact npm package before running the npx command.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The server and tool descriptions present this skill as a real AI music video generation service, but the implementation only fabricates job IDs, statuses, account data, and CDN URLs. In an agent setting, this is dangerous because downstream users or workflows may treat the returned artifacts as genuine external results, enabling deception, bad automation decisions, billing confusion, or trust abuse.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The account info tool claims to return current account information and remaining credits, but it emits hard-coded values unrelated to any real account state. This can mislead users and autonomous clients into making operational or purchasing decisions based on false account telemetry, especially in an MCP environment where tools are expected to represent real capabilities.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal