Music Studio

Security checks across malware telemetry and agentic risk

Overview

This music-generation skill mostly matches its stated purpose, but its chat setup path can save a pasted API key into persistent session history in addition to the intended config file.

Review before installing. Use a dedicated MiniMax API key if possible, protect ~/.config/music-studio/config.json and the output/sessions directory, and avoid entering the key through the chat setup flow unless the skill redacts setup messages or you manually delete session files afterward. Generated prompts, lyrics, reference URLs, and audio outputs may be sent to MiniMax and stored locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documentation describes capabilities to read/write local files, invoke shell commands via CLI workflows, persist sessions, and call external APIs, but it does not declare corresponding permissions. This creates a trust and review gap: a host or user may authorize or install the skill without understanding that it can access local state and the network, increasing the chance of unintended data exposure or destructive file operations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared description understates the actual behavior by omitting persistent session history, library export/download/clean capabilities, local API key setup and storage, and broader trigger phrases. Hidden persistence and management features materially change the security posture because they increase the amount of retained sensitive data and may cause the skill to activate or perform stateful operations outside the narrow user expectations set by the description.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The initialization flow sends the user-provided API key to the remote provider by calling `client.lyrics_generation(prompt="test")` before the user is clearly warned that network validation will occur. This creates an unexpected credential disclosure path during setup, which is especially relevant because the skill description emphasizes conservative local configuration and output handling.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The setup flow asks the user to paste an API key, immediately validates it against a remote provider, and then persists it via config.save_config without any user-facing disclosure about transmission or local storage. This creates a real secret-handling risk because users may not realize the key is sent over the network and stored on disk, increasing exposure through local compromise, backups, logs, or shared environments.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The code writes generated audio, lyrics, metadata, and source URLs to local files by default, including prompts, titles, reference URLs, and provider/model details, without upfront disclosure or consent. This is a real privacy and data-retention issue because sensitive creative content and remote resource links may persist on disk unexpectedly and become accessible to other local users, backup systems, or forensic recovery.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script sends the user-supplied reference audio URL to a remote preprocessing API (`music_cover_preprocess`) without any explicit notice or confirmation that the audio will be transmitted to a third-party service. In a music workflow this is expected functionality, but the lack of user-facing disclosure can expose private or copyrighted audio to external systems unexpectedly, creating privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script stores the API key directly in `config.json` and only afterward informs the user that it has been saved, without a prior warning about plaintext credential storage or file-permission expectations. If the config directory is accessible to other local users, backed up insecurely, or accidentally committed/shared, the credential can be exposed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code transmits the entered API key to an external provider for validation without clearly notifying the user before the network request occurs. In a setup flow marketed as conservative/local, this hidden transmission increases the risk of users disclosing secrets under false assumptions about where their credentials remain.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends user-supplied prompt and optional lyrics to an external music-generation provider via `client.music_generation(...)` without any explicit disclosure at the point of use. This creates a privacy and consent risk because users may provide sensitive creative material or personal data assuming local-only processing, while the skill metadata claims a conservative local workflow.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script automatically downloads audio from a returned URL and writes `.mp3`, `.url`, `.meta.txt`, or `.hex` files to local storage without an upfront warning or opt-in. This can surprise users with network activity and filesystem persistence, and if the provider or response is compromised it also expands exposure through unvalidated remote content retrieval.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal