nightingale-karaoke
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs users to download pre-compiled binaries and source code from github.com/rzru/nightingale, which is an unverified external source not included in the trusted vendors list.
- [COMMAND_EXECUTION]: Explicit instructions are provided to bypass system security controls, specifically using 'xattr -cr' on macOS to remove security quarantine flags and 'powershell -ExecutionPolicy Bypass' on Windows to run release scripts.
- [REMOTE_CODE_EXECUTION]: The application's automated bootstrap process fetches and executes multiple external binaries and libraries, including ffmpeg, uv, Python, and machine learning components like WhisperX and PyTorch, from remote registries and repositories.
- [COMMAND_EXECUTION]: The skill instructions involve cloning a remote repository and executing shell and PowerShell scripts contained within that repository's file structure.
- [DATA_EXFILTRATION]: The skill makes network requests to external APIs, such as the LRCLIB API for lyrics and the Pixabay API for video backgrounds, which involves communication with third-party servers.
Audit Metadata