Back to skill

Security audit

Fengshui Advisor — 风水顾问

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only feng shui advisor with disclosed local memory use and no evidence of hidden code, network access, credential access, exfiltration, or destructive behavior.

Install only if you are comfortable with the skill saving basic profile and home-layout details in local MEMORY.md for future feng shui questions. On shared machines, review or delete that memory file when finished, and treat its calculations as advisory because the reference rules contain a couple of self-noted table inconsistencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill directs the agent to read personal data from local and same-repository shared memory files and reuse it without re-confirming with the user. This creates a cross-session and potentially cross-skill privacy risk where sensitive profile data may be silently pulled into responses or used beyond the user's current intent.

Ssd 3

Medium
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to store detailed personal and household information, including birth year, sex, residence orientation, floor, and derived profile data, in MEMORY.md for future reuse. Persisting this level of identifying and contextual household data increases the chance of unintended disclosure, over-retention, and secondary use by other tools or later sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The workflow requires caching the user's derived profile and directional analysis for later queries, which extends the privacy risk beyond raw inputs to inferred personal attributes. Derived data can still be sensitive, and reusing it later without renewed context or consent can expose information the user did not intend to persist or share broadly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.