music-lyrics
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill invokes a shell command using
python3 -m music_analyzer lyrics "<audio_file_path>"which creates a command injection vulnerability if the<audio_file_path>contains shell metacharacters. - Evidence: Found in step 2 of
SKILL.md. - Ingestion Point: The
<audio_file_path>parameter provided by the user at runtime. - Capability: Execution of arbitrary shell commands via the system command line.
- Sanitization: Although step 1 mentions validating the path, it provides no specific logic, delimiters, or sanitization constraints to prevent malicious input from breaking out of the double-quoted string context (e.g., using backticks or command substitution).
Recommendations
- AI detected serious security threats
Audit Metadata