bg-music
Fail
Audited by Gen Agent Trust Hub on Jul 8, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
setup_env.shscript clones the ACE-Step 1.5 repository from GitHub (https://github.com/ace-step/ACE-Step-1.5.git) to the user's local directory (~/.bg-music/). It also downloads model weights (approximately 10GB) from Hugging Face on the first run. - [REMOTE_CODE_EXECUTION]: The
REFERENCE.mddocumentation andsetup_env.shscript suggest installing theuvpackage manager using a piped shell script (curl -LsSf https://astral.sh/uv/install.sh | sh). While Astral is a well-known service, executing remote scripts directly in the shell is an inherently risky pattern. - [COMMAND_EXECUTION]: The Python and Bash scripts (
generate_music.py,mix_voiceover.sh, andsetup_env.sh) use system calls to execute external binaries includingffmpeg,ffprobe,git, anduvfor audio processing and environment management. - [REMOTE_CODE_EXECUTION]: The
generate_music.pyscript dynamically adds the cloned ACE-Step directory to the Python search path (sys.path.insert(0, ad)) to import and execute its modules.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata