ClawHub

印度占星专业解盘系统

Security checks across malware telemetry and agentic risk

Overview

This astrology skill is mostly coherent, but it bundles broad persistent memory, user profiling, auto-generated skills, runtime package installation, and repository-push instructions that go beyond ordinary chart reading.

Install only if you are comfortable with a skill that may store and reuse personal chart details and interaction history locally, can create persistent memory and skill files, may perform broad web lookups, and includes maintainer-style GitHub push instructions. Prefer using the astrology calculation commands in a controlled environment, avoid giving unnecessary personal data, and disable or remove the Hermes memory/learning pieces and runtime pip install behavior before routine use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (34)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import markdown
except ImportError:
    print("Installing markdown...")
    os.system(f"{sys.executable} -m pip install markdown -q")
    import markdown

# ============================================================================
Confidence
93% confidence
Finding
os.system(f"{sys.executable} -m pip install markdown -q")

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The workflow requires broad web_search validation for essentially all interpretive outputs, which expands the skill from astrology reading into open-ended external information retrieval. That creates unnecessary data exposure and prompt-injection risk from untrusted web content, especially if user birth details or chart context are incorporated into searches. In this skill context, external lookups are not strictly required to fulfill the stated purpose and therefore increase attack surface more than they add safety.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The workflow adds celebrity/case-study retrieval and web search for analogical prediction support, which goes beyond individualized chart reading and introduces unrelated external content into the reasoning loop. This broadens the skill’s behavior into speculative profiling and increases exposure to irrelevant or malicious content, while also risking privacy leakage and low-integrity outputs based on weak case comparisons. In the context of a personalized astrology skill, this is more dangerous because it is not necessary for core functionality and encourages data-dependent external enrichment.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file explicitly states at the top that it is deprecated, contains known errors, and should not be referenced, yet the remainder of the document presents detailed astrological analysis, predictions, and recommendations in a confident, actionable tone. In an agent skill context, this creates a real integrity and trust vulnerability because downstream components or users may still consume the stale content and act on materially incorrect outputs.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The exposed persistent memory store/search capability is not aligned with the stated astrology-analysis purpose and can enable unintended retention of sensitive user data such as birth details, relationship data, or consultation history. Unnecessary persistence expands the attack surface for privacy leakage, cross-user data exposure, and misuse by downstream components or operators.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This section expands the skill’s reference corpus beyond Jyotish chart interpretation into adjacent occult services such as numerology and palmistry. That broadening is risky because it can cause the agent to perform unsupported, lower-integrity guidance outside its declared scope, increasing chances of deceptive authority, unsafe advice, and user manipulation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The content explicitly promotes gemstone, ritual, and spiritual-remedy practices, which move the skill from interpretive analysis into prescriptive interventions. In a user-facing agent, this is dangerous because it can encourage superstitious or coercive recommendations in sensitive domains like health, relationships, or finance, especially when presented with expert framing.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The file explicitly permits AI network lookup for external ephemeris/transit data without defining trust boundaries, approved sources, or consent requirements. In a skill framed around PDF chart reading, this can create unintended external data access, privacy leakage of birth details or analysis context, and nondeterministic behavior if the model fetches from arbitrary sources.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document expands the skill from PDF-based astrology interpretation into broad web retrieval and external API usage for collecting celebrity life events. That materially increases the skill’s data access and outbound network scope beyond the declared purpose, creating capability creep, privacy/compliance risk, and a path for unauthorized data exfiltration or unreviewed external content ingestion if implemented.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Maintaining and updating an internal skill knowledge base is outside the stated end-user function of analyzing astrology charts. This introduces persistent state and self-extension behavior, which can let externally sourced or weakly validated data influence future outputs and broaden the effective capability of the skill beyond what users expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The plan to submit results to GitHub adds an external publication/exfiltration channel unrelated to the declared astrology-reading capability. If implemented, generated reports, derived datasets, or sensitive processing artifacts could be pushed outside the system boundary without clear authorization, increasing confidentiality and governance risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a broad persistent-memory and learning framework with cross-session context loading, auto-extraction from user messages, user profiling, and auto-generated skills, which materially exceeds the declared Jyotish/PDF-analysis scope. This creates a covert capability expansion risk: users invoking an astrology skill may unknowingly have unrelated data retained, searched, repurposed, and surfaced in later sessions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code infers and stores user attributes such as frustration patterns and professional background from free-form feedback and task text, then persists them in a user_profile table. This is dangerous because it turns ordinary interaction data into long-lived behavioral profiling unrelated to the stated astrology-analysis function, increasing privacy risk and the chance of secondary misuse.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The bridge is described as solving missing-information issues, but in practice it also performs persistent profiling, memory accumulation, and automatic skill creation. This mismatch is security-relevant because misleading framing obscures materially more invasive data handling and capability expansion from users and reviewers.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements a general-purpose persistent memory, profiling, and reminder subsystem that is materially broader than the stated Jyotish PDF analysis purpose. In a skill expected to analyze uploaded astrology charts, embedding a long-term memory layer creates unjustified data collection and retention of user content, increasing privacy and cross-session leakage risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The schema includes persistent user_profile and session_summaries tables and the code supports reminders, which are not necessary for one-off astrology PDF interpretation. This expands the system into long-term behavioral profiling and durable storage of potentially sensitive user information without strong purpose limitation.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The auto-extraction logic persistently stores preferences, project background, and specific personal data from arbitrary text, including birth-related information that is especially sensitive in an astrology context. This creates overcollection and durable retention far beyond what is required to answer a single chart-reading request.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The method claims to fetch context for a given session but actually ignores the provided session_id and returns global recent sessions, important memories, profile data, active projects, and recent files. That mismatch can cause unrelated historical data to be resurfaced into a new interaction, enabling cross-session data leakage and privacy violations.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The engine defines fixed paths to a local SQLite database and CSV dataset under the user's home directory for celebrity case and validation data, which expands the skill beyond its stated astrology/chart-analysis purpose. This broadens data access to local persistent stores and can expose or process unrelated personal or proprietary data if those files contain sensitive content.

Description-Behavior Mismatch

Low
Confidence
77% confidence
Finding
The metadata constants include local database/CSV paths used for celebrity lookup and validation workflows that are not part of the declared core PDF/chart-reading flow. While not directly code execution, this increases attack surface and creates unnecessary access to local files that may contain sensitive records.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The `memory` command exposes generic persistent storage, search, and context retrieval backed by a local database, which is unrelated to horoscope calculation. In an agent setting, this can retain arbitrary user-provided content across sessions, enabling unintended collection of sensitive data and cross-session data leakage.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
For a local report builder, automatically installing markdown at runtime is unjustified and dangerous because it executes external package installation as part of normal processing. This increases exposure to dependency confusion, malicious package publication, compromised mirrors, and unexpected code execution in environments that process user-supplied reports.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill documentation goes beyond describing or packaging local astrology modules and instructs the operator to clone an external repository, copy files into it, commit, and push to the remote. This creates an unnecessary supply-chain and repository-modification workflow that could cause users or an agent to alter external codebases based on untrusted skill content, especially since the skill itself should not require publishing changes to a third-party repo to fulfill its stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Including `git push origin main` instructions grants an outbound code-publication path that is not necessary for a skill whose purpose is to provide astrology calculation modules. In an agent setting, this can enable unintended exfiltration, unauthorized repository tampering, or propagation of unreviewed code to a remote service, making the skill materially more dangerous than its domain description suggests.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script generates a report that labels multiple astrology rules as '已验证 100%' or similarly authoritative despite the code itself containing simplified logic, placeholder detections, and explicitly incomplete implementations elsewhere. This is a security-relevant integrity issue because users or downstream agents may trust the report as validated evidence and make decisions based on overstated confidence, enabling deceptive or unsafe automation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal