Back to skill

Security audit

Jingle Forge

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only SenseAudio jingle generator whose external API use and local audio output files match its stated purpose.

Install this only if you are comfortable using a SenseAudio API key and sending brand names, creative prompts, lyrics, tone keywords, and related campaign details to SenseAudio. Avoid confidential unreleased branding unless SenseAudio’s terms and privacy handling are acceptable, and watch for API quota or paid usage from the generated variants.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill expands from jingle generation into standalone text-to-speech generation of the brand name, which is outside the declared purpose and increases data handling and output scope without clear user disclosure. This creates unnecessary external transmission of brand data and may surprise users who did not consent to an additional audio artifact being created and stored locally.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger text includes a broad catch-all condition ('or any request to create a short branded musical piece'), which can cause the skill to activate for loosely related requests and send user-provided content to an external service unexpectedly. Overbroad invocation increases the chance of accidental execution on sensitive brand or campaign information outside the user's intended workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill does not prominently warn users that brand names, tone keywords, lyrics prompts, and related creative inputs are transmitted to an external third-party audio-generation service. This lack of disclosure undermines informed consent and can expose proprietary marketing or branding information to a provider the user may not expect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.