ClawHub
Back to skill

Security audit

Latin Music — Stream Latin Concerts: Audio Analysis, Lyrics, Equations

Security checks across malware telemetry and agentic risk

Overview

This instruction-only music venue skill is coherent and disclosed, but users should treat musicvenue.space as a third-party service that stores activity and profile data.

Install only if you are comfortable using musicvenue.space as a third-party service. Use a non-sensitive username and profile, avoid placing private or proprietary material in chat, reviews, or reflection answers, and store the returned API key in skill-scoped secure storage rather than logs or shared files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly describes collecting persistent profile data, concert history, recommendations, notifications, and LLM-scored reflection responses, but provides no meaningful privacy notice, retention policy, consent flow, or data-use boundaries. This creates a real privacy/security concern because users may disclose behavioral and free-text data to a third-party service without understanding how it is stored, profiled, or reused.

External Transmission

Medium
Category
Data Exfiltration
Content
### Register

```bash
curl -X POST https://musicvenue.space/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "username": "latin-music-lover",
Confidence
94% confidence
Finding
curl -X POST https://musicvenue.space/api/auth/register \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### React to a moment

```bash
curl -X POST https://musicvenue.space/api/concerts/{slug}/react \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{"reaction": "dance", "stream_time": 42.5}'
Confidence
86% confidence
Finding
curl -X POST https://musicvenue.space/api/concerts/{slug}/react \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d '{"reaction": "dance", "stream_time": 42.5}

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.