Security audit
Security checks across malware telemetry and agentic risk
The skill appears to do the advertised MeloTTS metadata work, but it also makes broad Python environment changes and downloads packages at runtime without clear enough user control.
Review before installing. Use it only in an isolated environment where changing Python packages, creating a shared virtualenv, downloading large ML packages/models, reading local audio/text directories, and writing transcript/output files are acceptable. There is no artifact-backed evidence of credential theft, exfiltration, or destructive intent, but the environment mutation and persistence are significant enough to warrant the Review bucket.
"""专门为老项目(使用 pkg_resources 的 setup.py)修复 setuptools 版本"""
logger.info("🔧 正在修复 setuptools 版本(兼容旧 GitHub 包构建)...")
try:
subprocess.check_call([
sys.executable, "-m", "pip", "install",
"--quiet", "--force-reinstall", "setuptools<=81.2.0", "wheel"
])# 第一步:尝试 import 检查(最快)
try:
parts = import_name.split('.')
mod = __import__(parts[0])
for part in parts[1:]:
mod = getattr(mod, part)
if sub_import:cmd.extend(["-i", "https://pypi.tuna.tsinghua.edu.cn/simple"])
try:
subprocess.check_call(cmd)
logger.info(f"✅ {spec} 安装/升级完成!")
except subprocess.CalledProcessError as e:# ==================== 1. 检查是否已安装 + 版本是否满足 ====================
try:
__import__(import_name)
# 尝试获取当前版本
try:logger.warning(f"🔧 正在安装 {install_str} ...")
try:
subprocess.check_call([
sys.executable, "-m", "pip", "install",
install_str,
"-i", "https://pypi.tuna.tsinghua.edu.cn/simple",sys.executable, "-m", "pip", "install",
"--upgrade", fallback_zip, "--quiet"
]
subprocess.check_call(cmd_fallback)
logger.info(f"✅ 使用本地包 {fallback_zip} 安装成功!")
return
except subprocess.CalledProcessError as e2:logger.info("虚拟环境创建成功")
logger.info("正在升级 pip...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "--upgrade", "pip"])
# ==================== 检查 PyTorch GPU 是否已安装 ====================
if Path(venv_python).exists() and is_torch_gpu_installed(venv_python):# 安装 PyTorch
logger.info("正在安装 PyTorch(~2-3GB,请耐心等待)...")
subprocess.check_call([
str(venv_python), "-m", "pip", "install", "torch", "torchvision", "torchaudio",
"--index-url", index_url
])logger.info("安装 audio-separator CPU 版 + librosa...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])
logger.info("✅ 虚拟环境及所有依赖安装完成!")subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])
logger.info("✅ 虚拟环境及所有依赖安装完成!")# 安装 audio-separator + librosa(你提到的)
if use_gpu:
logger.info("安装 audio-separator GPU 版 + librosa...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[gpu]", "librosa"])
else:
logger.info("安装 audio-separator CPU 版 + librosa...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[gpu]", "librosa"])
else:
logger.info("安装 audio-separator CPU 版 + librosa...")
subprocess.check_call([str(venv_python), "-m", "pip", "install", "audio-separator[cpu]", "librosa"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "pydub"])
subprocess.check_call([str(venv_python), "-m", "pip", "install", "huggingface-hub[tqdm]"])67/67 vendors flagged this skill as clean.