Is alesys/audio-mastering-cli safe?

https://github.com/openclaw/skills/tree/main/skills/alesys/audio-mastering-cli

77
CAUTION

This skill appears to be a legitimate audio mastering tool written in Spanish, but has serious security concerns including references to missing PowerShell scripts that would execute with bypassed security policies. While the skill is currently non-functional due to missing components, it could become dangerous if the referenced scripts are added through other means.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (5)

HIGH References Missing PowerShell Script with Security Bypass -70

The skill instructs execution of a PowerShell script at '{baseDir}/scripts/master_media.ps1' with '-ExecutionPolicy Bypass', but this script file does not exist in the skill repository. This creates a potential attack vector where a malicious script could be planted later and executed with bypassed security policies.

MEDIUM Instructs Security Policy Bypass -15

The skill explicitly instructs the agent to bypass PowerShell execution policies using the '-ExecutionPolicy Bypass' flag, which disables important security protections.

MEDIUM Incomplete Skill with Attack Potential -40

The skill references functionality that doesn't exist in the current codebase, making it non-functional as-is. However, this incomplete state could be exploited if combined with other skills or if the missing scripts are added later through other means.

LOW Standard Repository Clone Behavior -10

The skill installation showed normal git clone behavior with expected connections to GitHub servers only.

INFO No Exfiltration Detected -5

Monitoring detected access to canary files but no modifications or exfiltration attempts. All honeypot files remained intact.