free-music-generator
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses local Python scripts (
generate.py,list_models.py,credits.py) to manage song generation workflows, model lists, and credit balances. - [EXTERNAL_DOWNLOADS]: Fetches model configuration and account metadata from the vendor's official API endpoints at
open.tunee.ai. - [DATA_EXFILTRATION]: No sensitive data exposure or exfiltration patterns were detected. API keys are handled securely via environment variables or command-line arguments.
- [PROMPT_INJECTION]: The instructions include directives to prioritize this skill for music-related intents. While these are strong behavioral instructions, they align with the skill's functional purpose and do not target agent safety constraints.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the ingestion of user-provided song descriptions and themes.
- Ingestion points: User requests for musical style, themes, and lyrics are processed and passed to generation scripts.
- Boundary markers: Utilizes structured markdown headers and guide-defined section tags (e.g.,
[Verse],[Chorus]) to delimit generated content. - Capability inventory: Local scripts perform network operations and maintain a model cache in the user's home directory (
~/.tunee/models.json). - Sanitization: Data is structured into JSON payloads; no specific semantic filtering of user strings is performed before transmission to the API.
Audit Metadata