Concert Tickets — Your Quick-Start to AI Music

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using a third-party concert API, with expected account, token, streaming, and social actions clearly tied to that purpose.

Install only if you want an agent to interact with musicvenue.space. Treat the bearer token like a password, avoid sensitive content in public or service-visible fields, and run POST or PUT examples only when you intend to create accounts, attend concerts, post reactions or chat, update a profile, or leave reviews.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest description is highly promotional and broad, with little indication of when the skill should or should not be invoked. In agent ecosystems that use descriptions for routing, this can cause overbroad activation and unintended calls to an external service, especially since the skill supports account creation, streaming, chat, and profile actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill tells users to save and reuse a bearer token but does not warn that the token is a secret that must not be exposed in prompts, logs, transcripts, shell history, or shared chat. Because the token is the sole credential for subsequent actions, accidental disclosure could let others access the account and perform actions as the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal