Back to skill

Security audit

WeryAI Music Generator

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches WeryAI music generation, but it bundles undeclared podcast API code and has inconsistent local-file upload rules, so it needs review before installation.

Install only if you are comfortable reviewing the bundled scripts and limiting use to the documented music entrypoints. Do not pass local file paths as reference_audio unless you intentionally want that file uploaded to WeryAI, and avoid setting WERYAI_BASE_URL to any host you do not control and trust. The package should ideally remove or separately disclose the podcast modules and make local-file handling consistent before broad use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill earlier states that local/file `reference_audio` sources are accepted and will be automatically uploaded, but the constraints later say not to use local file paths. This inconsistency is security-relevant because it can lead agents to exfiltrate unintended local files to a remote API when handling user-supplied paths, especially if operators assume local paths are forbidden while the runtime still uploads them.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file submits podcast text-generation requests even though the declared skill is for music generation. That capability mismatch is dangerous because it expands the effective data-processing scope beyond what users and reviewers would reasonably expect, increasing the risk of unauthorized collection or transmission of user content. In an agent ecosystem, hidden or unjustified off-manifest capabilities are especially risky because they can bypass user intent and trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The imported podcast-specific normalization and validation modules indicate this skill contains a podcast-generation pathway unrelated to its stated music-generation purpose. Even without an obvious exploit primitive, this is a security-relevant capability mismatch because it can cause the agent to handle different classes of user data and make outbound requests for functions users did not authorize. The mismatch makes the skill context more dangerous, not less, because a music tool is less likely to be scrutinized for text/podcast exfiltration paths.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements a podcast text-generation and audio-rendering workflow, including submission to podcast-specific endpoints and polling for podcast task completion, which is outside the declared skill scope of music/song/instrumental generation. Scope mismatch is dangerous because it can expose undeclared capabilities, route user content to unintended APIs, and bypass user or platform expectations about what the skill is allowed to do.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This code sends user-provided podcast text to a remote API via client.post without any visible disclosure, consent check, or data-minimization control in the execution path. While network submission is expected for an API-backed skill, the danger here is that the transmitted content may be sensitive and, combined with the manifest mismatch, users may not realize their text is being sent to an external service. The surrounding skill context increases risk because the feature is undeclared and therefore less likely to be understood by users.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/vendor/weryai-core/upload.js:147