ClawHub

AI塔罗指引

Security checks across malware telemetry and agentic risk

Overview

This is a tarot guidance skill with disclosed reference content and report generation, with no evidence of hidden access, persistence, credential use, or destructive behavior.

Use this skill for tarot-themed entertainment, reflection, or learning. Be aware it may activate on broad divination wording, and treat any generated HTML report as active browser content to review before opening or sharing. Do not rely on tarot output for medical, legal, financial, crisis, or life-critical decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill metadata includes very broad trigger phrases such as '帮我算' and '帮我占卜', which can match casual or ambiguous user requests and cause the skill to activate unexpectedly. Unintended activation can override a more appropriate skill, produce irrelevant occult-style guidance in the wrong context, and increase the chance of unsafe responses when users are actually seeking practical, medical, legal, or emotional support.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation logic triggers on broad 'keywords or intent' categories, including loosely defined direct requests, knowledge queries, and learning requests, without clear boundaries or negative conditions. This ambiguity makes accidental invocation likely, especially in mixed conversations where users mention tarot academically, metaphorically, or in comparison to other topics, leading to context hijacking and misrouting of user intent.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal