Byted Las Audio Convert

Security checks across malware telemetry and agentic risk

Overview

The skill’s audio-conversion purpose is coherent, but its required setup automatically fetches remote metadata and installs or upgrades a remote SDK without explicit user consent or integrity verification.

Review before installing. Use it only if you trust the Volcengine LAS SDK source and are comfortable sending selected audio files to Volcengine/TOS. Prefer preinstalling or independently verifying the SDK, use least-privilege temporary credentials, and keep any env.sh containing secrets out of shared or version-controlled folders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill invokes shell commands extensively (`source`, `ffprobe`, `lasutil`, shell scripts) but does not declare shell/code execution permissions. This creates a transparency and policy-enforcement gap: a host may allow the skill under the assumption it is declarative or low-risk, while it can actually execute local commands and access local files and environment variables.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose is audio conversion, but the workflow also initializes environments, creates/activates a virtualenv, fetches remote metadata/manifests, and may install or upgrade SDK components from the network. Hidden network retrieval and package installation materially expand the attack surface, enabling supply-chain compromise or unexpected code execution beyond what a user would reasonably expect from a transcoding skill.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The environment initialization script for an audio conversion skill performs unrelated remote manifest retrieval and uses that data to drive SDK update behavior. This expands the trust boundary from local setup into unauthenticated runtime network state and introduces supply-chain risk, especially because the fetched manifest and remote wheel URL influence what gets installed during initialization.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script automatically runs pip install --upgrade from a remote wheel URL during environment initialization, with only a generic informational message. Executing package installation code on source without explicit consent can lead to arbitrary code execution via malicious or compromised packages, and this is especially risky in a skill whose declared purpose is only audio conversion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal