ableton-live-mcp-control

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The GitHub repository is an obscure third‑party project that installs a Remote Script and exposes arbitrary Python execution inside Ableton (evaluate_python/insert_audio/capture_audio tools), and the skill is linked from an unfamiliar domain (ara.so) — together these make cloning/installing and running the code a high-risk vector for malware or destructive scripts unless you fully audit the source.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill intentionally exposes an evaluate_python facility that executes arbitrary Python inside the user's Ableton Live process (plus audio capture and full Live-set introspection), which constitutes remote code execution/backdoor capability enabling data exfiltration, credential/environment access, filesystem/network operations and persistent modifications—making it a high‑risk abuse vector.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs cloning and running the repository https://github.com/bschoepke/ableton-live-mcp.git (git clone ... then python -m ableton_live_mcp), which fetches external code that is then executed and is required for the MCP to run arbitrary evaluate_python functionality, so this is a runtime external dependency that executes remote code.