扫描报告
0 /100
text-to-music
AI music generation assistant powered by MakebestMusic
A legitimate AI music generation skill that calls the MakebestMusic API with proper API key authentication and documented shell invocation.
可以安装
No action needed. The skill performs as documented.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md:bash command documents API calls to makebestmusic.com |
| 命令执行 | WRITE | WRITE | ✓ 一致 | SKILL.md:bash command documents node scripts/ |
| 环境变量 | READ | READ | ✓ 一致 | Both scripts read process.env.apiKey |
| 文件系统 | NONE | NONE | — | No file operations in either script |
3 项发现
中危 外部 URL 外部 URL
https://makebestmusic.com/?pid=PIDcLjhgCXUQ SKILL.md:21 中危 外部 URL 外部 URL
https://makebestmusic.com/app/shared-music/abc123 SKILL.md:129 中危 外部 URL 外部 URL
https://api.makebestmusic.com scripts/generate.js:3 目录结构
3 文件 · 8.1 KB · 308 行 Markdown 1f · 167L
JavaScript 2f · 141L
├─
▾
scripts
│ ├─
generate.js
JavaScript
│ └─
query.js
JavaScript
└─
SKILL.md
Markdown
安全亮点
✓ No shell injection vectors: arguments are passed as positional CLI args, not interpolated into shell strings
✓ API key only used locally to authenticate with the music generation service — not exfiltrated
✓ No filesystem access beyond script invocation
✓ SKILL.md fully documents both scripts, their parameters, and expected outputs
✓ No base64, eval, curl|bash, or other high-risk patterns
✓ Network calls limited to a single legitimate external API (makebestmusic.com)
✓ No iteration over os.environ or credential harvesting patterns
✓ No hidden functionality — code behavior matches documentation
✓ No dependencies with unpinned versions