ClawHub

Ziwei Fortune — 紫微斗数命盘

Security checks across malware telemetry and agentic risk

Overview

This is a fortune-chart instruction skill that stores birth details locally for reuse, which is privacy-relevant but disclosed and aligned with its purpose.

Install only if you are comfortable with the skill saving and reusing your lunar birth date, birth time, gender, and chart details in a local MEMORY.md file. Review or delete that file if you do not want retained data, and remember the skill is for entertainment or self-reflection, not medical, legal, or financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly collects and persists sensitive personal data, including birth date, birth time, and gender, to MEMORY.md without demonstrating that long-term retention is necessary for the requested one-off analysis. Persistent storage increases the chance of later unintended disclosure, reuse outside user expectations, or cross-session profiling of sensitive personal attributes.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill is instructed to read profile data from another skill's fortune-hub/MEMORY.md, which creates cross-skill data access beyond the declared single-purpose Ziwei analysis role. This broadens the trust boundary and can expose user data collected in a different context without fresh consent or clear necessity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill asks for and stores sensitive birth details and gender, but the collection flow does not present a clear privacy warning or obtain informed consent at the point of collection and persistence. Users may reasonably believe they are providing transient input for analysis, not authorizing durable storage of personal profile data.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions establish ongoing retention and reuse of user birth details in plain-language memory without clear minimization or retention limits. Because birth date, birth time, and gender are identifying and sensitive in aggregate, retaining them for future use increases privacy exposure and the risk of secondary disclosure.

Ssd 3

Medium
Confidence
94% confidence
Finding
The sample MEMORY.md schema encourages maintaining a standing user profile plus cached inferred fortune results, which expands retention from raw inputs to user-linked interpretations and traits. This creates a durable dossier of both personal data and derived inferences that may later be surfaced or repurposed beyond the original interaction.

Ssd 3

Medium
Confidence
94% confidence
Finding
Saving chart outputs for later reuse extends the lifespan of user-linked personal and inferred data beyond the initial request, increasing the attack surface for accidental disclosure across later conversations. The risk is amplified because fortune outputs can encode sensitive traits, life-stage assumptions, and identity-linked birth details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal