Security audit

Ai Music

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MakebestMusic integration that uses a disclosed API key to generate and check music, with no evidence of hidden persistence or unrelated data access.

Install only if you are comfortable creating a MakebestMusic account, storing its API key in the skill configuration, and sending song descriptions and generated music IDs to that service. Use a dedicated key where possible and avoid putting sensitive personal information in music prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill instructs execution of local Node.js scripts and use of an environment API key, which implies code execution plus network access, yet no explicit permissions are declared. This creates a transparency and policy gap: users and the platform may not realize the skill can exfiltrate secrets or make external requests to a third-party music service.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger description contains broad phrases like "create a song," "generate music," and "AI music," which are common conversational requests and may cause the skill to activate unexpectedly. Unintended activation is risky here because the skill can invoke scripts, use stored credentials, and send user prompts to an external service without sufficiently explicit user intent.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: text-to-music description: AI music generation assistant powered by MakebestMusic. Use when user wants to create AI-generated music, songs, or audio tracks. Perfect for content creators, musicians, and anyone wanting custom AI music. Triggers on requests like "create a song", "generate music", "makebestmusic", "AI music", "write a melody", etc. version: 1.2.0 metadata: openclaw:
Confidence: 68% confidence
Finding: create AI-generated music, songs, or audio tracks. Perfect for content creators, musicians, and anyone wanting custom AI music. Triggers on requests like "create a song", "generate music", "makebestmu

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal