Horoscope Daily

Security checks across malware telemetry and agentic risk

Overview

This is a horoscope-generation skill with disclosed local memory use and optional automation guidance, but no executable code or hidden external access.

Install if you are comfortable with a horoscope skill saving your birthday and zodiac sign locally for personalization. Do not enable daily scheduled delivery or messaging-channel integration unless you deliberately configure the schedule, destination, and any webhook or delivery skill yourself.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a pure horoscope generator, but it also instructs the agent to participate in scheduled task setup and automated message delivery. This expands behavior from content generation into persistence and outbound automation, which can be abused for unsolicited messaging or unexpected task creation if a host environment supports those capabilities.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The documentation gives operational guidance for sending generated content to external channels such as Feishu or DingTalk, even though the skill's stated purpose is horoscope generation with no external API required. That mismatch increases the chance that an integrating agent will combine this skill with messaging capabilities in a way users do not expect, enabling spammy or privacy-impacting delivery workflows.

Natural-Language Policy Violations

Low

Confidence: 90% confidence
Finding: This file assigns personality, love, career, and finance traits based solely on zodiac sign and presents them as direct descriptive guidance without any caveat, uncertainty framing, or explicit consent mechanism. In a horoscope skill this is likely intended as entertainment, which lowers severity, but it can still normalize ungrounded profiling and potentially influence personal or financial decisions for susceptible users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal