YunShi

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local fortune-telling skill with optional saved profile and scheduled message delivery, but users should review those privacy settings before use.

Install only if you are comfortable with a local user_chart_profile.json being created from your birth/chart details and reused later. Enable scheduled pushes only to private channels you control, and review or delete the saved profile if you no longer want the skill to retain that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is presented as a local/offline fortune-telling tool, but the nightly push section requires sending generated content to external messaging channels. This creates a clear capability mismatch that can mislead users and operators about network use and data flow, especially when archived profile data may be included in outbound messages.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Direct multi-channel messaging is not necessary for the core purpose of generating local fortune outputs, so it expands the skill's authority beyond user expectations. Unnecessary outbound communication pathways increase the risk of unintended disclosure, abuse of connected messaging accounts, and covert exfiltration under the guise of a harmless offline skill.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document claims the skill is 'local offline explainable' while later depending on external sending tools for cron delivery. This inconsistency can cause reviewers and users to underestimate the skill's ability to transmit data outside the local environment, weakening informed consent and security review accuracy.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is presented as a local offline fortune-telling tool, but the rules also prescribe persistent storage of highly personal chart/profile data to a local file. That creates a privacy and data-minimization issue because retention is broader than users would reasonably expect from the stated purpose, and the document does not require explicit informed consent before writing sensitive data to disk.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Automatically creating a long-lived profile when a complete chart text is merely detected is a true privacy vulnerability because it converts incidental user input into durable profiling without an explicit save action. In this skill context, chart text can contain sensitive birth/time and inferential personal data, so silent persistence materially increases exposure if the host environment, filesystem, or other local users can access the file.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that the skill can automatically create and reuse a persistent `user_chart_profile.json` containing a user's chart/profile data, but it does not clearly warn users that personal data will be stored locally or require explicit opt-in. Even if storage is local and offline, birth date and astrological chart data are still personal data, so silent persistence creates a privacy risk and can expose sensitive information to other local users, backups, or workspace consumers.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs persistent storage of user astrological profile data in JSON but does not require explicit notice, consent, retention limits, or deletion controls. Because star charts and birth details can be sensitive personal data, silent persistence across sessions creates privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill requires direct outbound sending to external channels but does not mandate an explicit user warning or confirmation for automatic delivery. This is dangerous because generated content derived from archived personal profile data could be sent to third-party destinations without clear, contemporaneous consent.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The rules specify persistent storage of detailed profile data, including raw chart text and multiple personal attributes, but do not require any user-facing warning at the moment storage occurs. This is dangerous because users may not realize sensitive data is being retained locally, preventing meaningful consent and increasing the chance of unintended disclosure or overcollection.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The instructions require persisting and reusing user-provided astrological profile data across sessions, which establishes a cross-session personal data store. Without clear consent, minimization, retention, and protection requirements, this creates unnecessary privacy risk and increases the consequences of future misuse or accidental disclosure.

Ssd 3

High

Confidence: 97% confidence
Finding: The nightly push workflow instructs the skill to pull archived user data and deliver generated messages to external destinations, combining persistence with outbound transmission. In context, this is the most dangerous behavior because a supposedly offline entertainment skill can silently become a scheduled data-processing and external-delivery pipeline.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal