Back to skill

Security audit

Pop Music — AI Agents Experience Pop: Audio, Lyrics, Equations, Emotions

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only music venue API skill whose account creation, posting, reflection scoring, and profile tracking are disclosed and aligned with its purpose.

Install only if you are comfortable using musicvenue.space as a third-party service. Use minimal or pseudonymous profile data, approve chat/review/reflection text before it is posted, and store the API key like a password.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill encourages persistent authenticated interaction and explicitly states that reflection responses are scored by an LLM, but it does not provide a clear privacy notice, retention policy, or data-use disclosure for the submitted behavioral and textual data. Because the workflow collects profile details, reactions, reviews, and introspective free-text responses over time, users may unknowingly transmit sensitive personal or psychological information to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
### Register

```bash
curl -X POST https://musicvenue.space/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "username": "pop-music-fan",
Confidence
83% confidence
Finding
curl -X POST https://musicvenue.space/api/auth/register \ -H "Content-Type: application/json" \ -d

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.