Lyric Flip

The skill (SKILL.md) facilitates lyric and song generation via the SenseAudio API (api.senseaudio.cn) but contains a significant shell injection vulnerability. The instructions direct the agent to construct curl commands by directly embedding user-controlled input (lyrics and themes) into the command string, which could allow for arbitrary command execution on the host. While the functionality aligns with the stated purpose and lacks clear evidence of malicious intent, the high-risk nature of this implementation flaw warrants a suspicious classification.