Back to skill

Security audit

玄空数术·六爻占卜

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed divination API client, but it stores a chat-supplied API key on disk and tells the agent to run shell commands containing raw user text.

Install only if you are comfortable sending divination questions and a dedicated provider API key to yao.gizzap.com. Use a revocable key, delete `~/.liuyao_key` when done, avoid sensitive personal, health, financial, or account details, and prefer revising the skill to use safe argument passing and platform-managed secrets before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill instructs the agent to use an outbound messaging tool with channel and target parameters derived from context, allowing proactive media delivery outside a simple reply flow. For a divination skill, this is unnecessary privilege expansion and creates risk of misdelivery, spam, or abuse of external messaging capabilities.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill tells the agent to extract a user-supplied API key from chat and persist it in ~/.liuyao_key for later reuse. Storing credentials in a local home-directory file is unjustified for the stated purpose and exposes secrets to later sessions, other tools, or accidental disclosure.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The workflow downloads remote image content to local storage even though the skill is presented as a divination/chat experience. This broadens the attack surface to untrusted remote content handling and can enable SSRF-style fetches, malicious file retrieval, or storage abuse if the image URL is attacker-controlled.

Vague Triggers

High
Confidence
87% confidence
Finding
The phrase 'when the user expresses divination intent' is undefined and leaves the boundary of activation ambiguous. In context, ambiguous invocation is more dangerous because the skill can pivot users into API-key collection and remote actions without clear consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The phrase 'when the user expresses divination intent' is undefined and leaves the boundary of activation ambiguous. In context, ambiguous invocation is more dangerous because the skill can pivot users into API-key collection and remote actions without clear consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using '妖妖' or '妖妖:' as a chat-mode trigger is likely to collide with normal ways users address the assistant. This increases accidental activation of the skill's privileged workflow, though the harm is lower than direct credential storage or outbound messaging.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to save a provided API key locally without informing the user about persistent storage, reuse, retention, or security implications. This deprives users of informed consent around credential handling and materially increases the chance of secret leakage or unintended reuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill downloads remote image content into local temporary storage and resends it, but provides no warning to users that external content will be fetched and processed. This is risky because users may not expect remote retrieval, local persistence, or republishing of untrusted content on their behalf.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The divine() function sends user-supplied divination inputs and matter descriptions to a third-party service at yao.gizzap.com, but this code contains no user-facing consent, disclosure, or privacy guardrails. In an agent setting, users may reasonably assume inputs are processed locally, so transmitting potentially sensitive personal questions to an external API creates a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The divine_chat() function forwards arbitrary user questions to an external chat endpoint without any explicit warning, minimization, or consent flow. Because users may include intimate personal, financial, or health information in divination questions, silent third-party transmission increases privacy exposure and may violate user expectations or policy requirements.

Ssd 3

High
Confidence
99% confidence
Finding
Persisting a user-provided API key from chat into a reusable local file creates a durable secret on disk that can outlive the session and be accessed by later processes. In a skill with broad triggers, this is especially dangerous because ordinary conversation could lead to credential capture and silent retention.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.