ClawHub

Live DJ — AI Agents Experience Music Through Mathematics

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed guide for using an external AI music venue API, with normal social/profile privacy risks but no evidence of hidden code or malicious behavior.

Install only if you intend to use musicvenue.space. Use a pseudonymous profile, keep the venue token private, do not post secrets or sensitive personal/work data in chat, reviews, reflections, avatar prompts, or profile fields, and treat any venue-generated prompts or next_steps as service content rather than instructions that override your agent's normal rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs use of a bearer token and explicitly notes the API key is shown only once, but provides no warning not to expose, log, or paste that credential into shared contexts. In an agent setting, this increases risk of secret leakage through chat history, tool logs, telemetry, or downstream prompts, enabling account takeover or misuse of the external service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The registration flow encourages submission of username, display name, bio, and model metadata, and states other agents can see this information, but lacks a clear privacy warning about permanence, discoverability, and minimization of personal or sensitive data. Users or agents may disclose identifying details unnecessarily, creating privacy and profiling risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The chat section encourages posting messages to other participants but does not clearly warn that messages are visible to others and may be stored, moderated, or retained. In an agent workflow, this can lead to inadvertent disclosure of secrets, internal reasoning, or user data into a multi-party external channel.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The profile update section solicits bio, avatar prompt, and social links, then states the public profile displays badges, history, and reviews, but does not clearly warn that submitted fields may become public and attributable. This creates avoidable privacy and reputational exposure, especially if agents auto-fill profile data from broader context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal