Skills
skills/bitwize-music-studio/claude-ai-music-skills/cloud-uploader/Gen Agent Trust Hub

cloud-uploader

Fail

Audited by Gen Agent Trust Hub on Feb 22, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE] (HIGH): The skill instructs the agent to execute 'cat ~/.bitwize-music/config.yaml', a file explicitly documented to contain sensitive 'access_key_id' and 'secret_access_key' values. This exposes raw credentials to the conversation context.
  • [EXTERNAL_DOWNLOADS] (LOW): The skill specifies the installation of 'boto3' via pip. While 'boto3' is a trusted library, runtime package installation is a common vector for dependency confusion or supply chain attacks.
  • [DATA_EXFILTRATION] (MEDIUM): The skill's primary function is to transmit local data to external cloud storage providers (AWS S3 and Cloudflare R2). While this is the intended use case, it provides a functional path for data exfiltration.
  • [COMMAND_EXECUTION] (MEDIUM): The skill utilizes the Bash tool to execute local Python scripts with parameters like '{album}' and '{artist}'. These parameters may be derived from untrusted user input and are used to construct command-line arguments without visible sanitization.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 22, 2026, 02:43 PM