Back to skill

Security audit

塔罗牌占卜

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid tarot skill, but users should review it because payment configuration and local storage are under-scoped and partly inconsistent.

Review before installing or paying. Confirm which config file the scripts will actually read, verify the clawtip amount and recipient manually, do not ask highly sensitive personal questions unless you accept local retention, and delete the local order/database files if you do not want payment and reading history kept.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill documentation exposes executable steps that invoke local Python scripts and references configuration and order files, yet it does not declare permissions for file read/write behavior. This creates a transparency and consent problem: users and hosting platforms may not realize the skill persists data locally or accesses sensitive config material such as payment settings and cryptographic keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is a simple tarot divination service, but the documented and inferred behavior includes payment processing, local persistence, secret handling, encryption, and order validation. That mismatch is dangerous because users may consent to entertainment functionality without understanding that the skill handles money, stores order records, and accesses sensitive local configuration, expanding the trust boundary significantly.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file’s primary behavior is to create and persist a payment order, including encrypted payment payload generation and database insertion, rather than performing tarot-card selection or interpretation as promised by the skill description. This is a significant scope mismatch that can mislead users into initiating payments or disclosing data under false expectations, which is especially risky in an agent skill context where users rely on manifest descriptions to understand capabilities.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Database-backed payment order creation is an unjustified privileged capability for a skill described only as tarot divination, because it introduces financial transaction handling and persistence without clear necessity from the stated purpose. In this context, hidden payment infrastructure increases the risk of unauthorized charging workflows, abuse of stored order data, and user deception about what the skill really does.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This file implements persistent payment/config/order handling and fulfillment storage that goes well beyond a tarot card reading skill’s stated purpose. In a skill context, undocumented collection and storage of order metadata, payment destinations, client IPs, and service results expands the attack surface and creates privacy and integrity risks, especially if other parts of the skill can influence indicator/order numbers or query these records.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code reads a user configuration file containing payment/collection information, which is unrelated to core tarot logic and gives the skill access to sensitive local configuration data. Even without immediate exfiltration shown here, unnecessary access to financial configuration violates least privilege and could be abused by adjacent code paths or future modifications.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file adds full SM4 encryption/decryption functionality that is unrelated to a tarot-reading skill’s declared purpose. In an otherwise simple consumer-facing divination skill, unexplained cryptographic utilities increase suspicion because they can enable hidden data protection, exfiltration support, or unauthorized payment/order processing logic without any user-visible need.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill exposes a general cryptographic capability that is not justified by tarot functionality, and the implementation uses ECB mode, which is insecure because it reveals plaintext patterns and is unsuitable for protecting structured data. In a low-trust, unrelated skill context, hidden encryption helpers materially raise the risk that the package contains undeclared sensitive-data handling or covert functionality.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill includes a payment workflow but the charging condition is not surfaced as an upfront warning before the user reaches invocation steps. Even though the fee is small, insufficient pre-invocation disclosure can lead to uninformed purchases or dark-pattern style monetization, especially in agent-driven flows where users may execute commands directly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code stores order metadata, including the user’s question and payment-related fields, in persistent storage without any evidence of user notice, consent, retention limits, or data minimization. For a tarot service, user questions may contain sensitive personal content, so persisting them alongside order identifiers and payee information creates avoidable privacy and compliance risk if the storage is later accessed or misused.

Missing User Warnings

Medium
Confidence
73% confidence
Finding
The code accepts an encrypted payment credential, decrypts it locally, and trusts fields from the decrypted JSON without any visible authenticity check, binding to order metadata, expiration check, or replay protection. If an attacker can forge or reuse a credential blob that decrypts successfully to `{ "payStatus": "SUCCESS" }`, they may obtain fulfillment without legitimate payment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.