light-game-bgm

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed music-making skill that installs normal audio tools and creates local MIDI/WAV/MP3 files, with no evidence of hidden data access or unsafe behavior.

Before installing, expect local package installs for audio rendering and optional soundfont downloads from external sites. Use soundfonts you trust, review generated output paths, and install only if you want Codex to help create or render music files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description includes very broad trigger phrases such as handling generic requests like 'make a song' or 'write some music', and even directs invocation when a track 'sounds too synthetic or stiff.' This can cause the skill to activate outside narrow user intent, increasing the chance of unexpected tool use, package requirements, or file-generation workflows being initiated when the user did not explicitly ask for this specific capability.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal