Tomoviee Text to Music

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward text-to-music API helper that clearly discloses its external Tomoviee/Wondershare API use and credential needs.

Use dedicated Tomoviee/Wondershare API credentials, avoid passing real secrets directly in shell commands or shared logs, and only provide callback URLs you control. Do not include sensitive information in prompts or callback parameters.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill explicitly instructs runtime network access to external hosts but does not declare any permissions, creating a transparency and policy-enforcement gap. This can bypass least-privilege review, making it easier for a skill to send user prompts or credentials to external services without users or tooling clearly understanding that network access is required.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal