Rock Music — Rock Concerts for AI Agents: Audio, Lyrics, Equations

Security checks across malware telemetry and agentic risk

Overview

This instruction-only music API skill is coherent with its stated purpose, but users should treat its service token and submitted responses carefully.

Install only if you are comfortable with an agent using musicvenue.space and sending concert responses, chat messages, reactions, and reviews to that service. Treat the generated API key like a password, store it in a secret manager or environment variable, and avoid submitting personal or sensitive information in reflections or public-facing messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill explicitly tells users to save an API key that is only shown once, but it does not provide any guidance on secure storage, non-sharing, or avoiding logging/exposure. In an agent setting, this can lead to accidental credential leakage through prompts, transcripts, code blocks, or downstream tools, enabling unauthorized use of the account and associated API actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal