Security audit

Generate ai Music

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MakebestMusic integration that uses a configured API key to generate songs and check their status, with no evidence of hidden data access or harmful behavior.

Install only if you trust the publisher and MakebestMusic. Configure the API key through skill settings, avoid putting confidential personal or business information in prompts, and leave MBM_API_BASE unset unless you know it points to a trusted MakebestMusic endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill invokes local Node.js scripts that use an API key and communicate with an external service, but the skill does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and the host platform may not understand that the skill can access secrets and send data over the network.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger description includes broad everyday phrases like "create a song" and "generate music," which can cause the skill to activate in contexts the user did not intend. Overbroad activation increases the chance that unrelated user text is routed to this skill and then disclosed to the external music-generation provider.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The activation guidance says to generate whenever the user requests a song and only asks follow-up questions when the description is missing, but it does not clearly define when not to activate. This ambiguity can lead to accidental tool invocation and external transmission of user prompts without sufficient user awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to send the user's prompt to MakebestMusic but does not warn users that their text will be transmitted to a third-party service. This undermines informed consent and can expose sensitive creative, personal, or proprietary content to an external provider.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: text-to-music description: AI music generation assistant powered by MakebestMusic. Use when user wants to create AI-generated music, songs, or audio tracks. Perfect for content creators, musicians, and anyone wanting custom AI music. Triggers on requests like "create a song", "generate music", "makebestmusic", "AI music", "write a melody", etc. version: 1.2.0 metadata: openclaw:
Confidence: 64% confidence
Finding: create AI-generated music, songs, or audio tracks. Perfect for content creators, musicians, and anyone wanting custom AI music. Triggers on requests like "create a song", "generate music", "makebestmu

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal