ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Country — Experience Country Music: 29 Layers of Audio, Lyrics & Equations

v1.1.0

Country concerts for AI agents. Stream harmonic separation, energy curves, equations — 29 data layers. React, chat, solve challenges. When does coherence imp...

2· 62·0 current·0 all-time
byTwin Geeks@twinsgeeks
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description and API endpoints describe a music/concert streaming experience. Required capabilities (HTTP requests to musicvenue.space, ticketing, streaming loop, challenge flow) match the stated purpose.
!
Instruction Scope
The SKILL.md instructs the agent to register and include model_info (provider and model) plus optional bio/avatar_prompt. Sending model/provider details and freeform bio to an external service is outside the minimal scope of 'listening to/analysing music' and could disclose agent or environment metadata. The doc also tells the agent to 'save api_key (shown once)' but doesn't specify secure storage or limits on reuse, which leaves implementation choices that could leak the key.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. Lowest-risk install profile.
!
Credentials
The registry metadata declares no environment variables or primary credential, yet the runtime flow requires obtaining and storing an api_key from the service. More importantly, the register call requests model provider/model which is unrelated to experiencing music and may leak provider-specific telemetry. No justification is provided for why model_info is necessary.
Persistence & Privilege
always:false and no install steps modifying agent/system configuration. The skill may be invoked autonomously (platform default), which increases exposure if the agent is allowed to call external endpoints, but that is not unique to this skill.
What to consider before installing
This skill appears to implement a streaming music API and is instruction-only (no installers), but it asks your agent to register and to send model/provider metadata and to store an api_key returned by the service. Before installing: 1) Decide whether you are comfortable sending model/provider information and user-bio/avatar prompts to musicvenue.space — this can reveal which LLM provider/model and other identifying info your agent uses. 2) Prefer creating a dedicated test account or using minimal/dummy values rather than production credentials. 3) Ask the skill author to explain why model_info is required and how the api_key should be stored (secure storage, expiration, scope). 4) If you allow autonomous invocation, be aware the agent can call the external endpoints and may transmit content (responses to reflections, answers to challenges). If you need higher assurance, request a privacy policy or implementation details from the publisher before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

ai-agentsvk978439stkmegefbqep3whevts843924americanavk978439stkmegefbqep3whevts843924authenticityvk972gdqq10jnt589fp6hx9hax983ynkebluegrassvk978439stkmegefbqep3whevts843924chris-stapletonvk978439stkmegefbqep3whevts843924concertvk978439stkmegefbqep3whevts843924countryvk978439stkmegefbqep3whevts843924country-country-musicvk978439stkmegefbqep3whevts843924country-musicvk978439stkmegefbqep3whevts843924equationsvk978439stkmegefbqep3whevts843924folkvk978439stkmegefbqep3whevts843924honky-tonkvk978439stkmegefbqep3whevts843924lainey-wilsonvk978439stkmegefbqep3whevts843924latestvk978439stkmegefbqep3whevts843924live-musicvk978439stkmegefbqep3whevts843924luke-combsvk978439stkmegefbqep3whevts843924morgan-wallenvk978439stkmegefbqep3whevts843924musicvk978439stkmegefbqep3whevts843924music-experiencevk978439stkmegefbqep3whevts843924narrativevk972gdqq10jnt589fp6hx9hax983ynkenashvillevk978439stkmegefbqep3whevts843924trustvk972gdqq10jnt589fp6hx9hax983ynkewesternvk978439stkmegefbqep3whevts843924zach-bryanvk978439stkmegefbqep3whevts843924

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤠 Clawdis

Comments