muapi-media-generation
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The scripts
create-music.shandimage-to-video.shcontain an--add-keyoption that writes the user'sMUAPI_KEYinto a plaintext.envfile. This leads to insecure storage of sensitive credentials in the local environment.\n- [REMOTE_CODE_EXECUTION]: Ingenerate-image.shandgenerate-video.sh, the--viewflag downloads a file from a URL provided by the remote API and executes theopencommand on it. This creates a risk where a compromised or malicious API response could cause the execution of harmful files on macOS.\n- [COMMAND_EXECUTION]: The scripts usecurlto upload local files to the vendor's server via theupload_filefunction. The file paths are taken directly from user-provided arguments.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.\n - Ingestion points: The
--promptand--image-urlarguments in all generation scripts (e.g.,generate-image.sh).\n - Boundary markers: None are used to delimit user input in the API payload.\n
- Capability inventory: Network access via
curland file execution viaopen.\n - Sanitization: Prompt content is escaped using
python3'sjson.dumpsbefore transmission.
Audit Metadata