Skills
skills/bytedance/agentkit-samples/byted-music-generate/Gen Agent Trust Hub

byted-music-generate

Pass

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill implements a standard and well-structured API client for Volcengine (ByteDance) services. It supports official authentication methods including HMAC-SHA256 request signing and Bearer tokens.
  • [COMMAND_EXECUTION]: The skill executes a local Python script scripts/music_generate.py. Analysis of this script shows it is a dedicated API wrapper with no arbitrary command execution or shell injection vulnerabilities. Arguments are handled via argparse and passed safely into JSON payloads.
  • [DATA_EXPOSURE]: The skill requires sensitive environment variables (VOLCENGINE_ACCESS_KEY, VOLCENGINE_SECRET_KEY, ARK_SKILL_API_KEY) for authentication. These are handled using standard environment variable practices as described in the documentation, with no evidence of exfiltration to third-party domains.
  • [INDIRECT_PROMPT_INJECTION]: The skill accepts user-provided prompts and lyrics which are forwarded to the Volcengine API. This is the intended primary purpose of the skill. While this constitutes an injection surface, the risk is localized to the music generation output.
  • Ingestion points: prompt, lyrics, and text arguments processed in scripts/music_generate.py.
  • Boundary markers: Absent in the script-level prompt handling, but data is safely encapsulated in JSON for the API request.
  • Capability inventory: Restricted to requests.post and requests.get to Volcengine API endpoints.
  • Sanitization: The script uses json.dumps to ensure the integrity of the payload sent to the remote service.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 1, 2026, 09:48 AM