skills/puntorigen/skills/bg-music/Gen Agent Trust Hub

bg-music

Fail

Audited by Gen Agent Trust Hub on Jul 8, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The setup_env.sh script clones the ACE-Step 1.5 repository from GitHub (https://github.com/ace-step/ACE-Step-1.5.git) to the user's local directory (~/.bg-music/). It also downloads model weights (approximately 10GB) from Hugging Face on the first run.
  • [REMOTE_CODE_EXECUTION]: The REFERENCE.md documentation and setup_env.sh script suggest installing the uv package manager using a piped shell script (curl -LsSf https://astral.sh/uv/install.sh | sh). While Astral is a well-known service, executing remote scripts directly in the shell is an inherently risky pattern.
  • [COMMAND_EXECUTION]: The Python and Bash scripts (generate_music.py, mix_voiceover.sh, and setup_env.sh) use system calls to execute external binaries including ffmpeg, ffprobe, git, and uv for audio processing and environment management.
  • [REMOTE_CODE_EXECUTION]: The generate_music.py script dynamically adds the cloned ACE-Step directory to the Python search path (sys.path.insert(0, ad)) to import and execute its modules.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 8, 2026, 03:28 AM
Security Audit — agent-trust-hub — bg-music