Back to skill

Security audit

Album Release Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can automatically publish content, use local credentials, deploy over SSH, and restart a remote service without a strong confirmation barrier.

Install only if you intend to run a full release automation pipeline and trust the config, credentials, SSH target, and local radio repo. Before running, use RELEASE_SKIP to disable youtube, deploy, and announce until you have reviewed the generated video, target host, destination paths, and outbound post text; avoid HRM_LYRICS_SRC unless it points to code you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill describes substantial capabilities including reading local credential files, writing outputs, invoking shell scripts, and performing network operations, yet it declares no permissions or safety boundaries. This increases the chance that a user or agent executes high-impact actions without informed consent or proper sandboxing.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script claims HRM-grounded lyrics generation, but actually imports Python code from an environment-controlled path via HRM_LYRICS_SRC. That allows arbitrary code execution under the user's account if the environment variable is pointed at attacker-controlled content, which is broader and riskier than the stated album-builder role.

Description-Behavior Mismatch

Low
Confidence
96% confidence
Finding
The script claims HRM-grounded lyrics generation, but actually imports Python code from an environment-controlled path via HRM_LYRICS_SRC. That allows arbitrary code execution under the user's account if the environment variable is pointed at attacker-controlled content, which is broader and riskier than the stated album-builder role.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code prepends an environment-supplied directory to sys.path and then imports generate_lyrics from that location. Any attacker who can influence HRM_LYRICS_SRC or the runtime environment can execute arbitrary Python during album generation, making this a genuine code-execution issue.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly performs public YouTube uploads and remote deployment to a radio host, but it does not provide a prominent warning that these actions publish content externally and may restart remote services. In an agent setting, this can lead to unintended public release, operational disruption, or reputational damage if run automatically or with the wrong configuration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads credential material from ~/.openbotcity/credentials.json and later uses the JWT to authenticate API calls without any interactive warning, confirmation, or dry-run mode. In an end-to-end release pipeline that also performs network actions, this increases the risk of unintended credential use or execution in the wrong environment, especially if invoked by another agent or automation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script uploads the generated album video publicly to YouTube automatically, using title/description/tags from config, with no human confirmation step. This can cause irreversible public disclosure of content, metadata, or copyrighted/private material if the pipeline is triggered with the wrong inputs or by an untrusted caller.

Missing User Warnings

High
Confidence
98% confidence
Finding
The deploy phase copies files to a remote host over SSH and then runs git pull and sudo systemctl restart on that host without any confirmation barrier. In this skill context, that is a production-changing operation that can overwrite remote content or disrupt service availability if the config, host, or key is wrong, or if the script is triggered unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The announce phase posts cross-platform public messages from the radio host with no interactive approval. Because this is a release automation skill, the context makes accidental mass publication more likely and more damaging, especially if content, links, or tags are incorrect or premature.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
set -e
    cd ~/kannaka-radio
    git pull --ff-only origin master 2>&1 | tail -3
    sudo systemctl restart kannaka-radio
    sleep 2
    systemctl is-active kannaka-radio
  '
Confidence
88% confidence
Finding
sudo

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.