Back to skill

Security audit

Chinese Calendar Cn

Security checks across malware telemetry and agentic risk

Overview

This skill appears low-risk to the computer, but it does not provide the Chinese calendar features it advertises.

Review before installing. This skill should not be trusted for lunar conversion, solar terms, zodiac, festival, or auspicious-date work until the maintainer aligns the implementation with the advertised description; from a system-security perspective, it looks like a static local text script with no sensitive access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata advertises Chinese lunar calendar capabilities, but the implementation only emits generic static help text and provides none of the promised functionality. This is dangerous because downstream agents or users may rely on the tool for date conversion, solar terms, zodiac, or auspicious-date decisions and receive misleading non-functional output instead of explicit failure, causing incorrect automation behavior or unsafe trust in the skill catalog.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script presents itself as a Chinese calendar reference tool, but the embedded content is placeholder-style material unrelated to actual Chinese calendar operations. In skill ecosystems, this kind of deceptive or low-integrity packaging increases supply-chain risk because agents may select the skill based on false capability claims and then behave incorrectly or conceal the absence of real functionality.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.