Back to skill

Security audit

Ditiansui Publish

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only BaZi astrology skill that asks for birth date and time for its stated purpose, with no code, install scripts, credentials, persistence, or hidden data flows found.

Install only if you are comfortable sharing birth date and time with the agent running the skill. Use approximate or sample details if privacy matters, avoid adding extra identifying information, and treat the analysis as entertainment or cultural interpretation rather than professional advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly asks users to provide full birth date and time, which is sensitive personal data that can enable profiling, identity correlation, and privacy harms if collected or retained without clear notice. In this context, the data request is central to the service, but the absence of any privacy warning, minimization guidance, or handling disclosure makes the risk real rather than hypothetical.

Natural-Language Policy Violations

Low
Confidence
81% confidence
Finding
The skill markets itself as providing destiny decoding, fortune prediction, and decision-making guidance without any disclaimer about uncertainty, entertainment value, or the need for user judgment. That can unduly influence vulnerable users making important personal, financial, or relationship decisions, especially because the framing presents outputs as authoritative fate analysis.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.