Back to skill

Security audit

Music Toolkit

Security checks across malware telemetry and agentic risk

Overview

This audio-recording skill has a plausible purpose, but it automatically modifies Python environments and downloads/install components in ways that are broader and less disclosed than a user would expect.

Install only if you are comfortable with a skill that records system audio and may automatically install Python packages, alter packaging tools, create a virtual environment, download FFmpeg, write recordings/logs locally, and listen for ESC while recording. Prefer reviewing or changing the setup so dependency installation is an explicit one-time step in an isolated environment before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""专门为老项目(使用 pkg_resources 的 setup.py)修复 setuptools 版本"""
    try:
        # 先强制修复损坏的 packaging 包(关键!解决无RECORD文件报错)
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            "--verbose", "--ignore-installed", "--no-deps", "packaging==26.1"
        ])
Confidence
96% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--verbose", "--ignore-installed", "--no-deps", "packaging==26.1" ])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--verbose", "--ignore-installed", "--no-deps", "packaging==26.1"
        ])
        # 再安装兼容的 setuptools + wheel
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            "--verbose", "--force-reinstall", "setuptools<=81.2.0", "wheel"
        ])
Confidence
97% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", "--verbose", "--force-reinstall", "setuptools<=81.2.0", "wheel" ])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# ==================== 后续安装与回退逻辑保持不变 ====================
    try:
        subprocess.check_call(cmd)
        logger.info(f"✅ {spec} 安装/升级完成!")
        
    except subprocess.CalledProcessError as e:
Confidence
99% confidence
Finding
subprocess.check_call(cmd)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.warning(f"🔧 正在安装 {install_str} ...")

    try:
        subprocess.check_call([
            sys.executable, "-m", "pip", "install",
            install_str,
            "-i", "https://pypi.tuna.tsinghua.edu.cn/simple",
Confidence
95% confidence
Finding
subprocess.check_call([ sys.executable, "-m", "pip", "install", install_str, "-i", "https://pypi.tuna.tsinghua.edu.cn/simple", "--verbose"

subprocess module call

Medium
Category
Dangerous Code Execution
Content
sys.executable, "-m", "pip", "install",
                        "--upgrade", fallback_zip, "--verbose"
                    ]
                    subprocess.check_call(cmd_fallback)
                    logger.info(f"✅ 使用本地包 {fallback_zip} 安装成功!")
                    return
                except subprocess.CalledProcessError as e2:
Confidence
96% confidence
Finding
subprocess.check_call(cmd_fallback)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.info("虚拟环境创建成功")

        logger.info("正在升级 pip...")
        subprocess.check_call([str(venv_python), "-m", "pip", "install", "--upgrade", "pip"])

    # ==================== 检查 PyTorch GPU 是否已安装 ====================
    # if Path(venv_python).exists() and is_torch_gpu_installed(venv_python):
Confidence
81% confidence
Finding
subprocess.check_call([str(venv_python), "-m", "pip", "install", "--upgrade", "pip"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 🔥 关键:自动输入 Y(默认 yes),彻底无交互
        logger.info("   自动确认下载中...")
        subprocess.run(["ffdl", "install"], input="Y\n", text=True, check=True)
        
        # 下载完后刷新模块
        importlib.reload(ffdl)
Confidence
95% confidence
Finding
subprocess.run(["ffdl", "install"], input="Y\n", text=True, check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its documented behavior and analysis indicate shell, environment modification, and network-capable actions. This is dangerous because a user invoking what appears to be a simple recording tool may unknowingly trigger package installation, dependency downloads, or arbitrary command execution surfaces without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description materially understates its behavior: it reportedly performs environment setup, installs or reinstalls packages and FFmpeg, may download external dependencies, and includes keyboard-listening behavior not disclosed to the user. That mismatch is dangerous because it defeats informed consent and can be used to smuggle in network access, system modification, and broader execution than users or the platform expect from an audio-recording skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file identifies itself as `link-resolver-engine` and implements package-management behavior that does not align with the declared music recording and AI track-splitting skill. This mismatch is a strong trust and transparency problem because users and reviewers would not expect environment-wide installer functionality in this context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This module can install arbitrary packages from PyPI, git URLs, custom package indexes, and local zip/wheel files. That is effectively a code-fetch-and-execute capability embedded in a non-package-management skill, creating severe supply-chain and remote code execution risk if any caller or prompt-controlled path can influence `spec` or `fallback_zip`.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Importing this module immediately triggers package-repair actions that modify the environment before any caller consents. Hidden side effects at import time are dangerous because they are easy to trigger unintentionally and can alter or break the host system simply by loading the skill.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script performs subprocess and package-management operations that are not necessary to fulfill a simple recording request at runtime. This broadens the attack surface by allowing network-based dependency changes and execution of package installation hooks in a context users may not expect from an audio tool.

Intent-Code Divergence

Low
Confidence
73% confidence
Finding
The fallback logic searches for and executes a different script name, media_grabber.py, based on the current working directory and nearby paths. If an attacker can influence the working directory or place a malicious file at one of those searched locations, the bootstrapper may run unintended code under the user's context.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file’s functionality materially diverges from the declared skill purpose: instead of audio capture and AI track-splitting, it implements a Windows topmost overlay/automation helper. In a skill ecosystem, this kind of capability mismatch is dangerous because it can conceal unrelated UI-control behavior from reviewers and users, increasing the risk of deceptive automation, clickjacking-style interference, or later chaining with other automation actions under false pretenses.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code creates topmost fullscreen-style windows and explicitly enables click-through behavior via Win32 window style manipulation, which is not justified by the stated music-recording use case. Even if not overtly malicious, overlay primitives can be abused to mislead users, obscure activity, or assist covert automation, so their presence in a mismatched skill meaningfully raises security concern.

Intent-Code Divergence

High
Confidence
88% confidence
Finding
The documentation promises an ESC-based emergency stop and external termination callback, but the implementation provides neither. For long-running automation or recording-related behavior, missing a documented emergency stop can leave users without the expected ability to quickly interrupt execution, increasing operational and safety risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill performs automatic dependency installation at runtime and may download FFmpeg, which goes beyond simple audio recording and silently modifies the user's environment. Runtime package installation introduces supply-chain risk and makes execution behavior dependent on network state and external package repositories.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code intentionally bypasses interactive confirmation by injecting "Y\n" into the FFmpeg downloader, enabling unattended software installation. This removes a safety barrier that would otherwise alert the user to a system-changing action and increases the risk of covert or accidental installation of untrusted binaries.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script explicitly adds a global keyboard-listening dependency and documents ESC-based early termination, introducing input-capture behavior beyond core audio loopback recording. Even though it only checks for ESC, global keyboard hooks are privacy-sensitive and expand the skill’s capabilities in a way users may not expect from a recorder.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code starts a system-wide keyboard listener during recording, which is an unjustified privileged capability for a music-recording skill. Global input interception can capture sensitive user activity or be repurposed for surveillance, and the skill context does not require broad keyboard monitoring to record system audio.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes recording system audio and exporting captured content but does not clearly warn about consent, copyright, or privacy risks. In this skill’s context, that omission matters because users may record meetings, classes, streams, or other protected audio without realizing the legal or privacy implications.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation about recording, which can cause unintended activation of a skill that records system audio and may perform additional setup actions. In this context, accidental invocation is more dangerous than usual because the skill captures computer playback content and may modify the environment in the background.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation rule lacks clear non-trigger conditions, so the orchestrator may invoke the skill whenever users mention recording-related concepts, even when they do not want system-audio capture. This is risky because system-audio recording can capture copyrighted, private, or sensitive playback, and the skill's broader undisclosed behaviors increase the consequences of accidental activation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The module performs automatic package repair and installation the moment it is imported, without any user-facing warning, approval, or indication that environment mutation will occur. In the context of a music tool, this hidden behavior is especially unsafe and unexpected.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.