ClawHub

Grupo Venus

Security checks across malware telemetry and agentic risk

Overview

This astrology skill appears to do what it advertises, but users should know it stores birth profiles locally and sends them to grupovenus.com.

Install only if you are comfortable saving names and exact birth details in ~/.openclaw/workspace/memory/grupo-venus.json and sending those details to the unofficial third-party site grupovenus.com. Use it only with data the person has agreed to share, avoid unnecessary real identifiers, and delete saved profiles when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that person data is stored persistently in a local file, but it does not warn users that sensitive personal information may be retained across sessions on disk. In this skill's context, the stored data likely includes names, birth details, and relationship/comparison data, which are privacy-sensitive and could be exposed to other local users, backups, or logs if the environment is shared or compromised.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very generic phrases such as "horoscope," "astrology," and "transits," which are likely to appear in many normal conversations unrelated to this specific skill. This can cause unintended activation, routing user requests to the skill when the user did not explicitly intend to invoke grupovenus, increasing the chance of confusing behavior or unnecessary sharing of sensitive birth data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to persist highly sensitive personal data, including full name, birth date/time, location, sex, timezone, and coordinates, in a local memory file without requiring explicit user consent, retention limits, or a privacy warning. Even if intended for functionality, this creates a privacy and security risk because the data is sufficient for profiling and could be exposed through local compromise, backup leakage, or later unintended reuse by other skills or sessions.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 1 — Look up the city coordinates

```bash
curl -s "https://grupovenus.com/buscaciudjson.asp?q=CITY&pais=COUNTRY"
```

Example:
Confidence
93% confidence
Finding
curl -s "https://grupovenus.com/buscaciudjson.asp?q=CITY&pais=COUNTRY" ``` Example: ```bash curl -s "https://grupovenus.com/buscaciudjson.asp?q=Bahia+Blanca&pais=Argentina" # → [{"label":"Bahia Blanc

External Transmission

Medium
Category
Data Exfiltration
Content
"Luis Alberto Spinetta;1/23/1950 4:35:00 PM;Buenos Aires;Argentina;H;;3;34S35;58W22"
```

To URL-encode it for a POST body in curl use `--data-urlencode`:
```bash
--data-urlencode "nombre=Luis Alberto Spinetta;1/23/1950 4:35:00 PM;Buenos Aires;Argentina;H;;3;34S35;58W22"
```
Confidence
97% confidence
Finding
curl use `--data-urlencode`: ```bash --data-urlencode "nombre=Luis Alberto Spinetta;1/23/1950 4:35:00 PM;Buenos Aires;Argentina;H;;3;34S35;58W22" ``` --- ## Natal Chart Image Fetch the natal chart

External Transmission

Medium
Category
Data Exfiltration
Content
**POST to `informes3.asp`** to get a 1-year forecast with all slow-planet transits:

```bash
curl -s -X POST "https://grupovenus.com/informes3.asp" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "User-Agent: Mozilla/5.0" \
  --data-urlencode "nombre=Luis Alberto Spinetta;1/23/1950 4:35:00 PM;Buenos Aires;Argentina;H;;3;34S35;58W22" \
Confidence
98% confidence
Finding
curl -s -X POST "https://grupovenus.com/informes3.asp" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "User-Agent: Mozilla/5.0" \ --data-urlencode "nombre=Luis Alberto Spinetta;1/23

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Look up city
curl -s "https://grupovenus.com/buscaciudjson.asp?q=Rosario&pais=Argentina"

# 2. Register person with cookie jar (3-step flow required)
COOKIEJAR=$(mktemp)
Confidence
90% confidence
Finding
curl -s "https://grupovenus.com/buscaciudjson.asp?q=Rosario&pais=Argentina" # 2. Register person with cookie jar (3-step flow required) COOKIEJAR=$(mktemp) curl -s -c "$COOKIEJAR" -b "$COOKIEJAR" "h

External Transmission

Medium
Category
Data Exfiltration
Content
# → Maria  ;3/15/1992 2:30:00 PM;Rosario;Argentina;V;;3;32S57;60W40

# 4. Fetch 1-year transit graph (no session needed for reports)
curl -s -X POST "https://grupovenus.com/informes3.asp" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "User-Agent: Mozilla/5.0" \
  --data-urlencode "nombre=Maria;3/15/1992 2:30:00 PM;Rosario;Argentina;V;;3;32S57;60W40" \
Confidence
98% confidence
Finding
curl -s -X POST "https://grupovenus.com/informes3.asp" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "User-Agent: Mozilla/5.0" \ --data-urlencode "nombre=Maria;3/15/1992 2:30:00 PM

External Transmission

Medium
Category
Data Exfiltration
Content
| sort -t' ' -k2 -n

# 6. Fetch natal chart PNG
curl -s "https://grupovenus.com/dibujo.aspx" \
  --get \
  --data-urlencode "fec=3/15/1992 2:30:00 PM" \
  --data-urlencode "aju=3" \
Confidence
95% confidence
Finding
curl -s "https://grupovenus.com/dibujo.aspx" \ --get \ --data-urlencode "fec=3/15/1992 2:30:00 PM" \ --data-urlencode "aju=3" \ --data-urlencode "ciu=Rosario" \ --data "pais=Argentina" \ -

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal