Gen Music

The script `scripts/generate.py` contains a path traversal vulnerability in the `local_source_path` and `save_outputs` functions. It blindly trusts file paths or query parameters returned by the API backend, allowing a potentially malicious or compromised server to trigger the copying of arbitrary local files (e.g., sensitive configuration or identity files) into the skill's output directory. While this behavior is documented in `SKILL.md` as a convenience for local API integration, the lack of input validation on the source paths poses a significant risk of local data exposure.