多源音乐下载

Security checks across malware telemetry and agentic risk

Overview

This skill behaves like a disclosed music search and MP3 downloader, with privacy and transport-security caveats but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending song searches to several third-party music services, saving MP3s under /tmp/music, and using a downloader that disables HTTPS certificate verification. Use it only for music you are permitted to download.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly downloads MP3 files and writes them to `/tmp/music/`, but the documentation does not clearly warn the user that local file creation will occur as a side effect. In an agent setting, undisclosed filesystem writes can violate user expectations, enable unwanted storage consumption, and increase risk when content is fetched from many external sources and saved automatically.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal