music-composer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MiniMax music-generation helper; the main risk is that lyrics or audio you choose may be sent to the external mmx service.

Install mmx only from a trusted source, run the documented version check before generation, and only provide lyrics or audio files you are comfortable sending to MiniMax. Confirm the output filename and account/quota use before running generation commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger description is broad enough to match common everyday phrases such as asking for music, songs, BGM, or audio material, which can cause the skill to activate in contexts the user did not intend. Over-broad activation increases the chance of unexpected shell use or file operations and can route unrelated requests into a tool-enabled workflow.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script reads the entire lyrics file and sends its contents to the external mmx CLI via the --lyrics argument, but there is no explicit notice, consent flow, or sensitivity check before disclosure. In this skill context, users may provide unpublished lyrics or copyrighted/private content, making silent transmission to an external service a real confidentiality and compliance risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal