PanchangaAPI — Vedic Astrology

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed astrology API skill, but it asks agents to send sensitive personal astrology data to a third party and describes automated paid crypto/payment flows without clear user-control safeguards.

Review this skill before installing. Use a dedicated API key, avoid sending precise birth/location data unless needed, require explicit approval before registration, webhook setup, or any paid Telegram/crypto/x402 flow, and do not let an agent spend from a wallet without strict limits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (12)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill documents registration, email/Telegram verification, webhook subscriptions, and payment flows that involve transmitting user identifiers, API keys, and potentially webhook targets to a third-party service, but it provides no meaningful in-skill warning about privacy, retention, third-party processing, or what data is sent where. This is dangerous because an agent could automatically collect and forward user email, Telegram ID, location, birth data, or callback URLs without informed consent, increasing privacy and data-handling risk.

External Transmission

Medium

Category: Data Exfiltration
Content: If you have `PANCHANGA_API_KEY`, use it. If not, register first: ```bash curl -s -X POST https://api.moon-bot.cc/register \ -H "Content-Type: application/json" -d '{}' ``` This returns `{"api_key": "pnc_..."}`. Use it in all requests as `X-API-Key` header.
Confidence: 92% confidence
Finding: curl -s -X POST https://api.moon-bot.cc/register \ -H "Content-Type: application/json" -d '{}' ``` This returns `{"api_key": "pnc_..."}`. Use it in all requests as `X-API-Key` header. ### Making Re

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 3: Use ```bash curl -X POST https://api.moon-bot.cc/panchanga \ -H "X-API-Key: pnc_..." \ -H "Content-Type: application/json" \ -d '{"datetime": "2024-01-15T06:00:00+05:30", "latitude": 28.6139, "longitude": 77.2090}'
Confidence: 90% confidence
Finding: curl -X POST https://api.moon-bot.cc/panchanga \ -H "X-API-Key: pnc_..." \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Get today's Panchanga for Delhi curl -X POST https://api.moon-bot.cc/panchanga \ -H "X-API-Key: pnc_YOUR_KEY" \ -H "Content-Type: application/json" \ -d '{"datetime": "2024-01-15T06:00:00+05:30", "latitude": 28.6139, "longitude": 77.2090}'
Confidence: 90% confidence
Finding: curl -X POST https://api.moon-bot.cc/panchanga \ -H "X-API-Key: pnc_YOUR_KEY" \ -H "Content-Type: application/json" \ -d '{"datetime": "2024-01-15T06:00:00+05:30", "latitude": 28.6139, "longitud

External Transmission

Medium

Category: Data Exfiltration
Content: If you have `PANCHANGA_API_KEY`, use it. If not, register first: ```bash curl -s -X POST https://api.moon-bot.cc/register \ -H "Content-Type: application/json" -d '{}' ``` This returns `{"api_key": "pnc_..."}`. Use it in all requests as `X-API-Key` header.
Confidence: 92% confidence
Finding: https://api.moon-bot.cc/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Making Requests ```bash curl -s -X POST https://api.moon-bot.cc/panchanga \ -H "X-API-Key: YOUR_KEY" \ -H "Content-Type: application/json" \ -d '{"datetime": "2026-03-15T12:00:00+05:30", "latitude": 28.6139, "longitude": 77.2090}'
Confidence: 91% confidence
Finding: https://api.moon-bot.cc/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 1: Register ```bash POST https://api.moon-bot.cc/register Content-Type: application/json {"email": "user@example.com"}
Confidence: 94% confidence
Finding: https://api.moon-bot.cc/

External Transmission

Medium

Category: Data Exfiltration
Content: User receives an email with a verification button. After clicking it: ```bash GET https://api.moon-bot.cc/register/status/acc_... ``` Response: `{"status": "verified", "api_key": "pnc_..."}`
Confidence: 86% confidence
Finding: https://api.moon-bot.cc/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 3: Use ```bash curl -X POST https://api.moon-bot.cc/panchanga \ -H "X-API-Key: pnc_..." \ -H "Content-Type: application/json" \ -d '{"datetime": "2024-01-15T06:00:00+05:30", "latitude": 28.6139, "longitude": 77.2090}'
Confidence: 90% confidence
Finding: https://api.moon-bot.cc/

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Get today's Panchanga for Delhi curl -X POST https://api.moon-bot.cc/panchanga \ -H "X-API-Key: pnc_YOUR_KEY" \ -H "Content-Type: application/json" \ -d '{"datetime": "2024-01-15T06:00:00+05:30", "latitude": 28.6139, "longitude": 77.2090}'
Confidence: 90% confidence
Finding: https://api.moon-bot.cc/

External Transmission

Medium

Category: Data Exfiltration
Content: -d '{"datetime": "2024-01-15T06:00:00+05:30", "latitude": 28.6139, "longitude": 77.2090}' # Get a complete birth chart curl -X POST https://api.moon-bot.cc/kundali \ -H "X-API-Key: pnc_YOUR_KEY" \ -H "Content-Type: application/json" \ -d '{"datetime": "1990-05-15T10:30:00+05:30", "latitude": 28.6139, "longitude": 77.2090}'
Confidence: 93% confidence
Finding: https://api.moon-bot.cc/

External Transmission

Medium

Category: Data Exfiltration
Content: Create a checkout invoice for any amount of credits: ``` GET https://api.moon-bot.cc/checkout/{api_key}/{credits} ``` Example: `GET /checkout/pnc_abc123/1000` creates a $10 invoice for 1000 credits.
Confidence: 88% confidence
Finding: https://api.moon-bot.cc/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal