Fortune Teller

Security checks across malware telemetry and agentic risk

Overview

This is a local entertainment skill with small local logs, not evidence of harmful or hidden network behavior.

Reasonable to install for casual use. Do not enter secrets or sensitive personal details, because some command input can remain in local files under the fortune-teller data directory. Delete that directory manually if you want stored history removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script logs command arguments to a persistent history file without clearly disclosing this behavior to the user. In an agent-skill context, users may supply sensitive strings in commands, and silently persisting them can expose secrets, personal data, or operational details to other local users or later processes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The add command appends arbitrary user-provided content to a persistent local database file without warning that the input will be stored. In this skill context, that increases risk because an agent or user may pass confidential content expecting transient processing, causing unintended local retention of sensitive data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal