music-listener
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute audio processing commands like ffprobe, ffmpeg, and whisper.
- Evidence: The variable
<audio_file>is interpolated directly into shell strings in Step 1, Step 2, and Step 3 (e.g.,ffprobe ... "<audio_file>"). - Evidence: The variable
<id>is interpolated into the output path for spectrogram generation:/tmp/music_spec_<id>.png. - Risk: While double quotes are used, many shells still process command substitution (e.g.,
$(command)) or backticks inside double quotes. If a user provides a file with a malicious name containing these characters, it could lead to arbitrary command execution on the host system.
Audit Metadata