heartmula
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill clones the source code repository 'https://github.com/HeartMuLa/heartlib.git' and downloads checkpoints from Hugging Face. These external sources are not verified vendors or well-known services.
- [REMOTE_CODE_EXECUTION]: The instructions include 'uv pip install -e .', which installs and potentially executes code from the cloned repository in the user's environment.
- [COMMAND_EXECUTION]: The skill executes multiple shell commands for environment creation, dependency management, and running the music generation pipeline.
- [REMOTE_CODE_EXECUTION]: The skill provides explicit instructions to modify (patch) 'modeling_heartmula.py' and 'music_generation.py' to fix compatibility issues. Modifying executable code from an external repository after download is a security risk as it can be used to inject malicious logic into the application.
Audit Metadata