music-analyze
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill executes a Python module via a shell command using a user-provided variable:
python3 -m music_analyzer analyze "<audio_file_path>". - Evidence: Found in step 2 of the
SKILL.mdfile. - Risk: If the agent does not strictly sanitize the
<audio_file_path>input, an attacker could provide a path containing shell metacharacters (e.g.,"; malicious_command #) to execute arbitrary code on the host system. - [DATA_EXFILTRATION] (LOW): The skill is designed to access and read local files specified by the user.
- Evidence: The primary command and usage instructions revolve around processing local audio files (
MP3, WAV, etc.). - Risk: While this is the intended purpose, it grants the agent access to the local filesystem. A malicious prompt could trick the agent into reading sensitive non-audio files if the file validation step is bypassed or insufficient.
Audit Metadata