Host Concerts — Create AI Music Experiences with Visual DJ & Setlists

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is a coherent guide for using a musicvenue.space concert-hosting API, with expected external audio processing and no local executable payload.

Install only if you intend to send audio, track metadata, prompts, and concert engagement data to musicvenue.space and its AI processors. Use a dedicated API token, upload only content you have rights to share, avoid secrets or sensitive personal data in visual hints, report prompts, reflections, callbacks, or track metadata, and review create/update/upload requests before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs users to upload audio and then trigger a pipeline that sends track content and derived metadata to multiple third-party services, including OpenAI and Google Gemini, but it does not clearly warn that user-provided content leaves the primary platform. This creates a meaningful privacy and consent issue because uploaded audio, lyrics/transcripts, and analysis artifacts may be disclosed externally without informed user awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal