chiptune-composer
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to run local Python scripts such as fix-boundary-gaps.py, merge.py, and extract_handoff.py via shell commands. The script fix-boundary-gaps.py is called with a filename parameter {kebab-case-title}.json which is generated by the agent. If the agent is successfully manipulated by a user's style description, it could generate a malicious filename containing shell metacharacters (e.g., ; rm -rf /), leading to command injection.\n- [REMOTE_CODE_EXECUTION]: The ability to execute arbitrary Python scripts on the host environment represents a significant capability. While the scripts are identified as internal vendor tools (e.g., in music/audio-tracker/tools/), the execution path involves shell interpolation which can be exploited if filename or parameter generation is compromised.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes existing song data and metadata to inform its composition.\n
- Ingestion points: The agent reads music/audio-tracker/songs/index.json and individual song files like boss-battle.json or canon-in-d.json to calibrate its output.\n
- Boundary markers: The instructions do not specify any delimiters or warnings to ignore potential instructions embedded within these JSON files.\n
- Capability inventory: The agent has the authority to write new JSON files to the filesystem and execute shell commands via Python.\n
- Sanitization: No sanitization or validation is performed on the content of the indexed song files or on the input used to generate filenames for the shell commands.
Audit Metadata