Security audit

Text to Music

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MakebestMusic text-to-music skill that uses a user-provided API key to generate songs and check task status.

Install only if you trust MakebestMusic with your song prompts and API key. Avoid submitting confidential lyrics, personal data, or proprietary creative material, and do not set MBM_API_BASE to an endpoint you do not control or trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrases are broad enough to match many normal music-related requests, which can cause the skill to activate unexpectedly. Over-broad activation can route user prompts and generated task data to an external service without the user clearly choosing this specific integration.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill asks users to provide song descriptions and later check task status, but it does not warn that these prompts and task identifiers/status data are transmitted to MakebestMusic. This creates a privacy and transparency issue because users may share sensitive creative or personal content without realizing it leaves the local system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal