Song Creation

Security checks across malware telemetry and agentic risk

Overview

This song-generation skill is mostly aligned with its purpose, but it needs review because it can install and run a local AI stack while using broad process control and weak file-path safeguards.

Install only if you intentionally want a local ComfyUI/AceStep music-generation setup and are comfortable with large downloads, Python package installation, persistent files under ~/ai, and external model use for prompts. Review setup.sh first, use a dedicated environment if possible, avoid song names containing slashes or '..', and inspect any local manual before letting the agent follow it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs use of file reads, shell commands, and likely network-backed model/session operations, but does not declare any permissions or user-visible warning about these capabilities. This creates a transparency and governance gap: users and platform controls cannot accurately assess or constrain the skill before execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The manifest presents a narrow songwriting workflow, but the body authorizes substantially broader host actions such as local process control, file movement/deletion, ComfyUI job submission, and operational recovery steps. That mismatch is dangerous because reviewers and users may approve the skill for creative assistance while it actually performs privileged local orchestration beyond the stated scope.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The recovery instructions use a broad `pkill -f "python.*main.py"`, which can terminate unrelated Python processes matching that pattern, not just the intended ComfyUI instance. In a shared or long-running environment this can disrupt other workloads and cause denial of service or data loss.

Context-Inappropriate Capability

Low

Confidence: 79% confidence
Finding: The skill directs moving generated files and removing directories on the host filesystem, which introduces risk of accidental deletion or overwriting if paths are wrong, variables are manipulated, or cleanup logic is too broad. While this appears intended for output organization, it still expands the blast radius beyond simple song generation.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrase 'or any song/music creation request' is overly broad and may cause the skill to activate for loosely related prompts, increasing the chance of unexpected sub-session spawning and local command execution. Overbroad routing is especially risky here because the skill performs host-side operations rather than only text generation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The description omits that the skill may spawn multiple sub-sessions, read local files, execute bash commands, and write/move/delete files. This lack of disclosure undermines informed consent and makes the skill more dangerous in context because users may expect a harmless creative workflow, not host-side orchestration.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal