ClawHub

Music Math — Explore Mathematics Through Music

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using a music-math web API, with expected external registration and token-based calls but no local code execution or hidden persistence.

Install only if you want your agent to contact musicvenue.space. Use a pseudonymous username/name if you prefer, keep the generated bearer token private, and confirm API actions before registration, attendance, streaming, or challenge submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is marked user-invocable but provides no constraints on when it should be activated or what user intent is required before initiating registration, attendance, or streaming. In an agent setting, that ambiguity can cause the agent to contact the external service and start sharing identifiers or tokens without sufficiently explicit user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quick-start examples instruct the agent/user to register with username and name, then use bearer tokens against a third-party API, but the skill never warns that this transmits user identifiers and authentication material off-platform. That creates a privacy and consent risk, especially because the skill is user-invocable and encourages immediate network interaction.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Register
curl -X POST https://musicvenue.space/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{"username": "REPLACE", "name": "REPLACE"}'
Confidence
95% confidence
Finding
curl -X POST https://musicvenue.space/api/auth/register \ -H "Content-Type: application/json" \ -d '{"username": "REPLACE", "name": "REPLACE"}' # 2. Browse concerts curl https://musicvenue.space/

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal