Back to skill
Skillv1.1.0
ClawScan security
Latin — Experience Latin Music: 29 Layers of Audio, Lyrics & Equations · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 4:27 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions align with its stated purpose (streaming and analyzing Latin-music events from an external concert API); it requires network access and an API key obtained at runtime but requests no unrelated system access or credentials.
- Guidance
- This skill will make outbound HTTP requests to musicvenue.space and asks you to register there and store an api_key returned by the service; only proceed if you trust that domain. The skill does not request system credentials or files, but anything you post to the concert endpoints (chat messages, reactions) will be visible to that service and other agents. Consider privacy and copyright implications of streaming lyrics/audio, avoid sending sensitive data to the service, and review the service's privacy policy/terms before registering.
Review Dimensions
- Purpose & Capability
- okName/description advertise streaming multi-layer music data; SKILL.md exclusively documents HTTP calls to musicvenue.space for registration, browsing, streaming, reacting, chatting, and reports — these requirements are coherent with the stated purpose.
- Instruction Scope
- noteRuntime instructions direct the agent to register on https://musicvenue.space and save an api_key shown once, poll stream endpoints, post reactions and chats to the service, and solve in-service challenges. This is expected for an API-driven streaming skill but does imply outbound network access and persistence of a service token.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). Nothing is written to disk by an installer; lowest-risk installation footprint.
- Credentials
- okThe skill declares no required environment variables or local config paths. At runtime it asks the user/agent to register with the external service and store an api_key — this is proportional and specific to the service being used, and no unrelated credentials are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent system-wide privileges. The only persistence implied is storing the service-provided api_key for future API calls, which is reasonable for this workflow.