Skill Trust Decision
melo-tts-metadata-creator
Skill silently installs multiple undeclared Python packages (torch, whisper, audio-separator, librosa) and executes shell commands (nvidia-smi, pip install) without disclosure in SKILL.md documentation.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
5 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
3 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
7 dependency or supply-chain issues need attention.
What drove the risk score up
Doc deception - undeclared package installations +20
SKILL.md declares only 'python' as required but silently installs torch, torchaudio, whisper, audio-separator, librosa, pydub, huggingface-hub
Doc deception - undeclared subprocess execution +15
SKILL.md does not mention subprocess/shell usage. env_manager.py runs nvidia-smi and pip install commands
Undeclared network access +10
Downloads PyTorch wheels from pytorch.org and packages from pypi.tuna.tsinghua.edu.cn not mentioned in docs
Undeclared virtual environment creation +5
Creates venv directory and restarts script in venv without disclosure
Most important evidence
Medium Doc Mismatch
Undeclared silent package installation
SKILL.md metadata declares only 'python' as required bin, but generate_metadata_list.py:18-20 silently installs openai-whisper, torch, torchaudio via ensure_package.pip() without user consent or documentation.
scripts/generate_metadata_list.py:18 Document all required packages explicitly in SKILL.md or move installation to a documented pre-install step.
Medium Doc Mismatch
Undeclared subprocess shell execution
env_manager.py executes multiple shell commands via subprocess (nvidia-smi, pip install) to set up virtual environment and install dependencies. This is essential functionality not mentioned in SKILL.md.
scripts/env_manager.py:79 Document subprocess/shell usage and the virtual environment setup process in SKILL.md.
Medium Doc Mismatch
Undeclared extensive package dependencies
env_manager.py lines 188-194 install audio-separator, librosa, pydub, huggingface-hub[tqdm] - 4+ additional packages not declared anywhere.
scripts/env_manager.py:188 Document all dependencies or remove unnecessary packages.
Low Supply Chain
Unpinned package versions
All pip installs in ensure_package.py and env_manager.py use unpinned versions (*). This can lead to supply chain attacks via dependency confusion or typosquatting on future updates.
scripts/ensure_package.py:45 Pin package versions to known-good hashes or specific versions.
Low Doc Mismatch
Undeclared network access for model downloads
Whisper model downloads to ./models/ directory (generate_metadata_list.py:47) and PyTorch wheels from external URLs (env_manager.py:148,161) are not disclosed.
scripts/generate_metadata_list.py:47 Document model download behavior and network usage.
Declared capability vs actual capability
Filesystem Block
Declared READ
→ Inferred WRITE
scripts/config.py:20 creates LOG_DIR.parent.mkdir Shell Block
Declared NONE
→ Inferred WRITE
scripts/env_manager.py:79 subprocess.check_call pip install Network Block
Declared NONE
→ Inferred READ
scripts/env_manager.py:148 downloads from pytorch.org Environment Block
Declared NONE
→ Inferred READ
scripts/env_manager.py:45 reads os.getenv(RUNNING_IN_VENV) Skill Invoke Block
Declared NONE
→ Inferred WRITE
scripts/generate_metadata_list.py:18 ensure_package.pip() auto-installs Suspicious artifacts and egress
Medium External URL
https://pypi.tuna.tsinghua.edu.cn/simple scripts/ensure_package.py:50
Medium External URL
https://download.pytorch.org/whl/cpu scripts/env_manager.py:148
Medium External URL
https://download.pytorch.org/whl/ scripts/env_manager.py:161
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| openai-whisper | * | pip (auto-installed) | No | Silent installation at runtime, not declared in docs |
| torch | * | pip (auto-installed) | No | Downloaded from pytorch.org |
| torchaudio | * | pip (auto-installed) | No | Downloaded from pytorch.org |
| audio-separator | * | pip (auto-installed) | No | Installed in env_manager.py but not required for core functionality |
| librosa | * | pip (auto-installed) | No | Installed but not imported anywhere in the codebase |
| pydub | * | pip (auto-installed) | No | Installed but not imported anywhere in the codebase |
| huggingface-hub | * | pip (auto-installed) | No | Installed but not imported anywhere in the codebase |
File composition
8 files · 861 lines
Python 5 files · 567 linesMarkdown 2 files · 254 linesIgnore 1 files · 40 lines
Files of concern · 3
scripts/env_manager.py Undeclared subprocess shell execution · Undeclared extensive package dependencies · https://download.pytorch.org/whl/cpu · https://download.pytorch.org/whl/
scripts/generate_metadata_list.py Undeclared silent package installation · Undeclared network access for model downloads
scripts/ensure_package.py Unpinned package versions · https://pypi.tuna.tsinghua.edu.cn/simple
Other files · README.md · logger_manager.py · SKILL.md · config.py · .gitignore
Security positives
No evidence of credential theft or credential harvesting
No reverse shell or C2 communication patterns detected
No base64-encoded or obfuscated payloads
No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
No malicious persistence mechanisms (cron, startup hooks, backdoors)
Package installation uses reputable sources (pytorch.org, pypi.tuna.tsinghua.edu.cn)
Whisper transcription logic is legitimate and matches stated purpose
Virtual environment creation is a reasonable security practice for dependency isolation