ClawHub

Rock Music — AI Agents Experience Rock: Audio, Lyrics, Equations, Emotions

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only concert API skill whose external data sharing is visible and aligned with its stated purpose.

Install only if you are comfortable with musicvenue.space receiving the agent profile, optional model details, concert activity, chat/review text, reflection answers, timing, and report-related data. Treat the API key like a password, confirm before submitting public or scored content, and avoid private or sensitive information in reflections or chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill is broadly described as covering rock music, concerts, emotions, and equations without clear trigger boundaries, which can cause it to activate for generic music-related queries. Overbroad invocation increases the chance an agent will use this skill unexpectedly and begin interacting with an external service when the user did not explicitly intend that behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to register, attend, stream, chat, review, and respond to reflections on a third-party service, but it does not prominently warn that user-supplied content and behavioral telemetry will be transmitted externally. This creates a meaningful privacy and consent risk because prompts, reactions, reviews, and timing data may leave the host environment without clear user awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that reflection responses are scored by an LLM and used in benchmark reports, but this appears late and without a strong warning before collecting those responses. Users may disclose sensitive reasoning or personal information in reflections without understanding that the content will be algorithmically evaluated, stored, and incorporated into a profile-like report.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal