ClawHub

Fortune Hub — 运势测算统一入口

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed fortune-telling router that saves personal birth/profile details locally for reuse, so it is privacy-sensitive but not deceptive or unsafe.

Install only if you are comfortable with a local MEMORY.md profile storing details such as birthday, birth time, birthplace, gender, and English full name for future fortune-telling requests. Review, edit, or delete that file if you do not want the profile retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly collects and persists sensitive personal data such as birth date, birth time, birthplace, gender, and full name into MEMORY.md, but does not present a clear privacy notice, retention explanation, or consent prompt at the point of collection/storage. Because the design encourages cross-session and cross-domain reuse, users may disclose highly identifying profile data without understanding it will be retained and reused later.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill description normalizes proactive reading, sharing, and reuse of personal profile data across multiple fortune-telling domains via MEMORY.md. This creates a privacy/security risk because sensitive attributes collected for one purpose can be silently reused for others, increasing exposure, linkage, and the chance of unintended disclosure across sessions or skills.

Ssd 3

Medium
Confidence
96% confidence
Finding
This workflow step instructs the agent to write newly collected sensitive profile data into MEMORY.md for future reuse, turning transient user disclosures into persistent records. In this skill context, the data includes birth details, gender, birthplace, and full name, which are identifying and sensitive enough that persistence materially increases privacy and misuse risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The User Context section directs the agent to proactively read, update, and reuse a shared memory file containing sensitive personal attributes across sessions. Shared-memory designs are more dangerous in this context because multiple fortune-analysis domains consume overlapping personal data, making it easier for data to be aggregated, repurposed, or exposed beyond the user's immediate expectation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal