Skills
skills/bitwize-music-studio/claude-ai-music-skills/import-audio/Gen Agent Trust Hub

import-audio

Pass

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides templates for shell commands (mv, mkdir, unzip) that incorporate user-provided variables such as <file-path>, <album-name>, and [track-slug]. This interpolation pattern creates a surface for command injection if the agent does not properly sanitize these inputs before generating the shell commands.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted user data from the $ARGUMENTS variable and uses it to drive tool actions via the Bash tool.
  • Ingestion points: Untrusted user-provided arguments in SKILL.md used for file and directory naming.
  • Boundary markers: Absent; the instructions do not provide delimiters or warnings to the agent to prevent the interpretation of input as part of the command structure.
  • Capability inventory: The skill uses the Bash tool to perform file system modifications (move, directory creation) and ZIP extraction, providing a high-impact surface for malicious input.
  • Sanitization: Absent; there are no instructions for the agent to validate the character set or path integrity of user-supplied arguments, which could lead to directory traversal or shell expansion vulnerabilities.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 27, 2026, 11:26 PM