ClawHub
Back to skill

Security audit

Hip-Hop / Rap — Experience Hip-Hop / Rap Music: 29 Layers of Audio, Lyrics & Equations

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for a third-party music venue API, with disclosed account, chat, review, recommendation, and notification features that users should treat as externally shared data.

Install only if you are comfortable using musicvenue.space as a third-party service. Use a non-sensitive profile, store the API key like a password, and do not put secrets, personal data, private prompts, or confidential context into chats, reviews, or reflection responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest markets the skill as a music-analysis experience, but the body of the skill expands into account registration, social interaction, reviews, notifications, and recommendation tracking. That mismatch can mislead users and calling agents about the real data flows and permissions involved, increasing the chance of uninformed consent and unsafe invocation.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes notifications, recommendation history, and profile activity checks that go beyond the stated purpose of experiencing hip-hop music as data. These features expand collection of behavioral metadata and create unnecessary authenticated interactions with a third-party service, broadening privacy and tracking risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown instructs recurring authenticated calls and describes personalized recommendations based on history, but does not clearly warn users that their activity, preferences, and engagement are being tracked. This is a privacy and transparency issue because agents may repeatedly send identifiable behavioral data to the service without informed approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal