eachlabs-music
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Data Exfiltration (LOW): The skill makes network requests to api.eachlabs.ai, which is not included in the whitelisted domains. This is expected behavior for the skill's functionality, and no access to sensitive local files (e.g., SSH keys, AWS credentials) was found.
- Prompt Injection (LOW): The skill exhibits an indirect prompt injection surface by ingesting data from external URLs and user-provided prompts. * Ingestion points: Several models in
references/MODELS.md(e.g.,mureka-describe-song,mureka-stem-song,mureka-upload-file) ingest data viaurlorfileparameters. * Boundary markers: No explicit delimiters or instructions to ignore embedded commands were identified in the skill's prompts or examples. * Capability inventory: The skill uses network capabilities to send data to the EachLabs API. * Sanitization: There is no documentation or evidence of input sanitization or URL validation within the provided files.
Audit Metadata