ClawHub

Vedic Astrology

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Vedic astrology skill that fits its stated purpose, but it can save and reuse birth details locally for future readings.

Install only if you are comfortable with the skill saving your birth date, birth time, birthplace, timezone, and chart estimates in a local MEMORY.md file for reuse. Review or delete that file if you share the environment or want the reading to remain session-only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest frames the skill as a pure local interpretation tool with no external API, but the documented behavior includes persistent collection and reuse of sensitive birth data via MEMORY.md. That discrepancy can mislead users and integrators about the skill's actual data-handling behavior, reducing informed consent and increasing privacy risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to read from fortune-hub/MEMORY.md to fill missing profile fields, expanding data access beyond the skill's stated single-purpose scope. Cross-skill data reuse can expose unrelated personal information and violates data minimization because the astrology skill should not silently pull profile data from another module.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill persistently stores full birth date, time, birthplace, timezone, and derived astrological profile in MEMORY.md, which is sensitive personal data. Retaining this information in plain text creates privacy and profiling risk, especially since exact birth details are often used as identity-verification attributes or highly personal quasi-identifiers.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using the single word "Vedic" as a trigger is overly broad and can activate the skill in unrelated contexts, causing unintended handling of user messages. In a skill that reads and writes personal memory, over-triggering increases the chance of collecting or reusing sensitive data when the user did not intend to invoke astrology functionality.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directs the agent to store highly sensitive birth information and derived profile data without any explicit privacy warning, consent prompt, or retention notice. This is dangerous because users may reasonably assume they are providing data only for the current reading, not for persistent reuse across sessions.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instruction to persist and reuse sensitive birth details from MEMORY.md without asking again bypasses renewed user consent and normal expectation checks. Silent reuse of personal data increases the risk of inappropriate disclosure, stale-data errors, and cross-session privacy violations.

Ssd 3

Medium
Confidence
96% confidence
Finding
Caching the complete astrological profile in MEMORY.md creates an ongoing plain-text retention policy for sensitive inferred attributes, not just raw birth data. Derived profile information can reveal intimate beliefs, personality inferences, and life-stage interpretations, compounding privacy exposure if accessed by other skills or operators.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal