Topmediai AI Music Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed TopMediai music-generation wrapper that uses a user-provided API key to send prompts and song/task data to TopMediai.

Install only if you are comfortable sending creative prompts, lyrics, task IDs, and song IDs to TopMediai under your API key. Keep the .env file private, leave TOPMEDIAI_BASE_URL set to https://api.topmediai.com unless you trust another endpoint, monitor any paid quota or billing impact, and consider pinning dependencies locally for reproducible installs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill explicitly requires access to an environment variable (`TOPMEDIAI_API_KEY`) and makes outbound network requests, yet no permissions are declared. This creates a transparency and governance gap: users and platforms cannot accurately assess what sensitive resources the skill will access before installation or execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill description says it generates music, BGM, or lyrics, but the documented behavior also includes generating MP4/video output from a `song_id`. This mismatch can mislead users and reviewers about the actual behavior of the skill, weakening informed consent and making it easier for unexpected media-generation features to bypass scrutiny.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The manifest indicates that user prompts are sent to a third-party API using a configured API key, but it does not warn users that their prompts and related generation data leave the local environment. This creates a real privacy and data-handling risk because users may submit sensitive text, lyrics, or creative material without understanding it will be transmitted to an external service.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script sends the user's prompt to the external TopMediai service via generate_lyrics() without any visible notice, consent flow, or minimization in this file. Because prompts may contain sensitive or proprietary text, this creates a real privacy and data-handling risk even though the behavior appears necessary for the skill's functionality rather than malicious.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script submits generated lyrics, which are directly derived from the user's prompt, to an external API using submit_and_extract_ids(). This extends third-party exposure beyond the initial prompt and may disclose sensitive user-provided or model-expanded content without explicit user-facing disclosure, making it a genuine privacy concern in this context.

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 python-dotenv>=1.0.1
Confidence: 97% confidence
Finding: requests>=2.31.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 python-dotenv>=1.0.1
Confidence: 96% confidence
Finding: python-dotenv>=1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal