DJ mp3 sourcer

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but its filename-normalization script can move MP3 files outside the chosen folder if track metadata contains path-like text.

Only install if you are comfortable with the agent downloading and renaming MP3s in a folder you choose. Before using the normalization script on untrusted tracklists, sanitize artist/title values, reject slashes and '..', use a dry run, and keep work in a disposable output folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The skill performs filesystem-affecting actions by downloading files and renaming MP3s on disk, but the description does not prominently warn users about those side effects. In an agent setting, insufficient disclosure can lead to unexpected modification of local files or writing into user directories without informed consent, especially during batch processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal