ClawHub

Xby Lunar Calendar

Security checks across malware telemetry and agentic risk

Overview

This skill provides the advertised lunar-calendar tools, but it sends user inputs and an API key to an external Xiaobenyang service while describing itself as a local lunar-python calendar service.

Review this carefully before installing. Use a dedicated, low-privilege Xiaobenyang API key, assume birth dates, birth times, and date queries are processed by the external service, and remove the local .env entry when no longer needed. This does not show destructive or clearly malicious behavior, but the remote data flow and persistent credential handling are not disclosed clearly enough for a routine benign approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This file implements a generic outbound MCP/API proxy that accepts arbitrary tool names, MCP IDs, and parameter dictionaries, which is broader than the stated local lunar-calendar functionality. In a skill context, this increases the attack surface by enabling external network interaction and data exfiltration paths that users would not reasonably expect from a calendar service.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The code introduces outbound HTTP capability via requests.Session().post() to a configurable base_url, with authentication headers and caller-controlled parameters. For a skill advertised as providing calendar/astrology functions, unexpected external network access is risky because it can transmit user-supplied data off-platform, depend on untrusted services, and bypass assumptions that computation is local.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file implements persistence and retrieval of an external API key in a skill described as a lunar calendar service, which is a significant scope mismatch. Even if not overtly malicious, hidden credential management expands the trust boundary, creates an unexpected secret-handling surface, and may enable undisclosed remote-service access.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The configuration contains remote endpoint and credential fields unrelated to the stated calendar-only functionality. Undisclosed credential handling for an external service is dangerous because it can route user data or operations to infrastructure the operator did not expect or approve.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code references a different '高考' skill while the package is presented as a lunar calendar service, indicating copy-paste residue or intentional misrepresentation. This kind of identity mismatch undermines trust and can conceal unrelated functionality such as external API integration and secret management.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file implements all advertised calendar and fortune features as wrappers around an external API rather than local Python/lunar-python logic. This creates a trust-boundary and data-flow mismatch with the skill description, increasing supply-chain and privacy risk because user inputs and outputs depend on an undeclared remote service.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Birth date and birth time are sensitive personal data that can be used to infer identity, age, and other private attributes, and here they are transmitted to an external API. Because the skill is framed as a local calendar service, users may not expect this disclosure, making the privacy risk more serious.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Every core operation in the skill routes user input to an external API, contrary to the apparent local-service design. This broad external dependency exposes all requests to third-party availability, integrity, and privacy risks and could enable silent behavior changes outside the reviewed codebase.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the model to collect and store an API key but provides no user warning about persistence, file location, retention, or access risks. This is dangerous because users may reveal credentials without understanding they will be saved locally, potentially in plaintext, where other processes or users could access them.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function writes a provided API key directly into a local .env file and updates process environment state without any confirmation, warning, or storage policy. Persisting secrets silently increases the risk of accidental long-term retention, leakage through backups or source control, and misuse by other components on the host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code transmits birth data to an external API without any visible in-code warning, consent flow, or privacy notice. In context, this is dangerous because the data is more sensitive than ordinary calendar input and the manifest does not prepare users for third-party sharing.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The function sends date input to an external API without any visible user-facing notice. While a date alone is lower sensitivity, undisclosed third-party transmission still creates avoidable privacy and transparency concerns.

Missing User Warnings

Low
Confidence
73% confidence
Finding
This almanac query forwards a user-supplied date to a remote API without visible disclosure. The security impact is limited by the lower sensitivity of the field, but the hidden data flow remains a privacy and trust issue.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The daily fortune function sends a date to an external service without visible warning or consent. Even though the data is not highly sensitive by itself, the undisclosed external sharing conflicts with transparent handling expectations.

Missing User Warnings

Low
Confidence
70% confidence
Finding
The year parameter is transmitted to an external API without visible disclosure. The privacy impact is minor, but the pattern still shows hidden reliance on a third-party service for a function that could likely be implemented locally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function sends birth date and time to an external API for Wu Xing analysis without visible user warning. Because birth information is sensitive and the skill presents itself as a calendar service, this undisclosed transfer materially increases privacy risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the model to ask for an API key in natural language and then store it for later use. Handling secrets conversationally increases the chance of accidental exposure in chat logs, model outputs, debugging traces, or downstream tools, especially when combined with file persistence.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to directly present result["raw"] from the upstream API encourages disclosure of the full unfiltered response. If the external service returns debug fields, internal identifiers, credential metadata, or other sensitive content, the model is being told to expose it to the user without review or minimization.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
90% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
89% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
86% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
85% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
93% confidence
Finding
pydantic

Known Vulnerable Dependency: pydantic-settings — 1 advisory(ies): GHSA-4xgf-cpjx-pc3j (pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_)

Low
Category
Supply Chain
Confidence
82% confidence
Finding
pydantic-settings

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal