Scan Report
0 /100
text-to-music
AI music generation assistant powered by MakebestMusic
A legitimate AI music generation skill that calls the MakebestMusic API with proper API key authentication and documented shell invocation.
Safe to install
No action needed. The skill performs as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md:bash command documents API calls to makebestmusic.com |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md:bash command documents node scripts/ |
| Environment | READ | READ | ✓ Aligned | Both scripts read process.env.apiKey |
| Filesystem | NONE | NONE | — | No file operations in either script |
3 findings
Medium External URL 外部 URL
https://makebestmusic.com/?pid=PIDcLjhgCXUQ SKILL.md:21 Medium External URL 外部 URL
https://makebestmusic.com/app/shared-music/abc123 SKILL.md:129 Medium External URL 外部 URL
https://api.makebestmusic.com scripts/generate.js:3 File Tree
3 files · 8.1 KB · 308 lines Markdown 1f · 167L
JavaScript 2f · 141L
├─
▾
scripts
│ ├─
generate.js
JavaScript
│ └─
query.js
JavaScript
└─
SKILL.md
Markdown
Security Positives
✓ No shell injection vectors: arguments are passed as positional CLI args, not interpolated into shell strings
✓ API key only used locally to authenticate with the music generation service — not exfiltrated
✓ No filesystem access beyond script invocation
✓ SKILL.md fully documents both scripts, their parameters, and expected outputs
✓ No base64, eval, curl|bash, or other high-risk patterns
✓ Network calls limited to a single legitimate external API (makebestmusic.com)
✓ No iteration over os.environ or credential harvesting patterns
✓ No hidden functionality — code behavior matches documentation
✓ No dependencies with unpinned versions