sheet-music-publisher
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill implements an override mechanism that loads configuration data from an external file (
sheet-music-preferences.md) using theload_overridetool. This ingestion of untrusted data could potentially be used for indirect prompt injection. - Ingestion points: The skill loads external preferences from
sheet-music-preferences.mdvia theload_overridefunction. - Boundary markers: No explicit delimiters or instructions to ignore instructions within the ingested data are present.
- Capability inventory: The skill has access to the
Bash,Write, andEdittools, creating a risk if instructions are successfully injected. - Sanitization: No sanitization or validation of the override file content is specified in the workflow.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to perform environment checks and install software dependencies. Examples includepip install pypdf reportlab pyyaml,brew install --cask musescore, andsudo apt install musescore. These operations are required for the skill's primary functionality and are used for legitimate setup purposes. - [EXTERNAL_DOWNLOADS]: The skill documentation directs users to download and install third-party software from official sources, including AnthemScore (lunaverus.com) and MuseScore (musescore.org). It also installs standard Python packages from the official package registry.
Audit Metadata