apple-music
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends the installation of an external MCP server from a third-party GitHub repository (
github.com/epheterson/mcp-applemusic). This source is not listed as a trusted organization or well-known service, and installation involves executing local build commands on the downloaded source. - [COMMAND_EXECUTION]: The skill makes extensive use of
osascriptto control the Music application via shell subprocesses. This pattern involves dynamic string assembly for script execution, which can be vulnerable to command injection if user-provided names for tracks or playlists are not properly escaped. - [PROMPT_INJECTION]: There is a vulnerability surface for indirect prompt injection where data from user inputs or API responses is used to construct executable scripts.
- Ingestion points: User-provided search terms, playlist titles, and metadata retrieved from the MusicKit API (SKILL.md).
- Boundary markers: The documentation suggests using delimiters (quotes) and manual escaping, but these are not automatically enforced.
- Capability inventory: Subprocess execution of AppleScript, network requests to Apple APIs, and modification of local configuration files for the AI agent.
- Sanitization: A Python helper function for string escaping is provided in the documentation as a reference, but the skill relies on the implementer to apply it correctly to all inputs.
Audit Metadata