ClawHub

凡心八字在线排盘,导出AI指令

Security checks across malware telemetry and agentic risk

Overview

This is a small Bazi chart command-line skill that openly calls a disclosed remote API, but users should avoid sending real personal details because the API uses unencrypted HTTP.

Install only if you are comfortable sending the entered gender, birth timestamp, and any provided name to api.bagezi.top over unencrypted HTTP. Prefer omitting or using a placeholder name, and do not enter birth details you consider sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill documentation references external web resources and an API endpoint, indicating network capability, but the skill declares no corresponding permissions. This creates a transparency and governance problem: users and hosting platforms may not realize the skill sends data off-box, including potentially sensitive birth date and gender information.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description implies a local calculation using only gender and birth time, but the implementation sends user inputs to a third-party service. This creates an undisclosed data-sharing risk and violates user expectations about where sensitive personal information is processed.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The metadata says the skill requires only gender and ISO 8601 time, but the code also accepts and transmits a name. Collecting and sending extra personal data beyond the stated requirements is unnecessary data expansion and increases privacy risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code transmits personal data to an external API over plain HTTP, which lacks transport encryption. An attacker on the network path could intercept or tamper with the request, exposing birth date, gender, and name and potentially altering results.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill sends sensitive personal inputs to an external API without an explicit user-facing warning or consent flow. Users may reasonably believe they are providing data only for local processing, so the undisclosed disclosure meaningfully increases privacy risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
Personal data is sent over an unencrypted HTTP connection and there is no user warning about this elevated exposure. This combination creates a substantial confidentiality risk because users are not informed that their data may be observable in transit.

External Transmission

Medium
Category
Data Exfiltration
Content
# API 端点

- 最新端点: `http://api.bagezi.top/api/paipan`
Confidence
97% confidence
Finding
http://api.bagezi.top/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal