Back to skill

Security audit

Music Cog

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward CellCog music-generation skill with disclosed API-key and package requirements, and no bundled code or hidden behavior found.

Install this if you trust CellCog and are comfortable using a CellCog API key. Treat prompts as content sent to an external service, and avoid including secrets, private business material, personal data, or regulated content unless that use is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is very broad and presents the capability as generally applicable music generation without clear activation boundaries, exclusions, or safety constraints. In an agent ecosystem, overly broad scoping increases the chance the skill is invoked in unintended contexts and can cause unnecessary transmission of user prompts or sensitive project context to the external CellCog service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users how to submit prompts through the CellCog client but does not clearly warn that prompts and possibly attached content are sent to an external third-party service. This creates a data exposure risk because users or agents may include confidential, proprietary, or personal information in prompts under the assumption processing is local.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.