music-timbre
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill executes
python3 -m music_analyzer timbre "<audio_file_path>"via the shell. A malicious user could provide a file path containing shell metacharacters (e.g.,test.wav"; id; ") to escape the double quotes and execute arbitrary commands on the host system.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on external packagesmusic_analyzer,pyloudnorm, anddemucs. The packagemusic_analyzeris generic and its source is not verified, which could lead to the execution of untrusted code during analysis. Whiledemucsis from a trusted source (Meta), the other dependencies remain unverified.\n- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill processes external input (file paths) and passes them to a command execution context, creating a high-risk attack surface.\n - Ingestion points: The
<audio_file_path>parameter inSKILL.md.\n - Boundary markers: None present to delimit user input or prevent shell escaping sequences.\n
- Capability inventory: Shell command execution via
python3 -msubprocess calls.\n - Sanitization: No sanitization or validation of the path string is performed before interpolation.
Recommendations
- AI detected serious security threats
Audit Metadata