ats-song-creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). User-provided input for the
promptandlyricsfields is interpolated directly into a shell command (ats create ... --payload '...'). A malicious user could escape the JSON payload by providing a string containing single quotes and command separators (e.g.,'; touch /tmp/pwned; #), leading to arbitrary code execution on the host machine. - Ingestion points:
promptandlyricsfields inSKILL.md. - Boundary markers: The payload uses single quotes in the documentation examples, but there are no instructions for the agent to escape or sanitize user input before command construction.
- Capability inventory: Shell command execution via the
atsCLI and bash scripts (SKILL.md). - Sanitization: Absent. The agent is directed to pass raw user strings into the CLI.
- [COMMAND_EXECUTION] (HIGH): The skill's core functionality relies on executing shell commands and complex bash logic (polling loops with
jq). This provides a high-privilege environment for an attacker to exploit if they successfully inject commands. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the installation of an external Node.js package
@difflabai/ats-cli. This package and its author (difflabai) are not on the trusted source list, making the dependency unverifiable and potentially malicious.
Recommendations
- AI detected serious security threats
Audit Metadata