Back to skill

Security audit

随便算算-八字命理助手

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its astrology purpose, but it includes an unsafe auxiliary script that can execute shell commands from user-controlled input and it sends birth-chart data to a configured LLM backend.

Install only if you are comfortable providing birth date/time, gender, and questions to your configured OpenClaw/OpenAI-compatible model provider. Avoid invoking convert.py; it contains an unsafe shell command path and should be removed or fixed before direct CLI use. The main documented skill path does not show persistence or destructive behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
#subprocess.call("cls", shell=True)
print(result)
print(subprocess.check_output("python bazi.py -b " + result, shell=True).decode('gbk'))
Confidence
99% confidence
Finding
print(subprocess.check_output("python bazi.py -b " + result, shell=True).decode('gbk'))

Lp3

Medium
Category
MCP Least Privilege
Confidence
75% confidence
Finding
The manifest declares no permissions while the skill reportedly has shell and environment access capabilities. That mismatch can hide the true execution surface from reviewers and users, increasing the risk of unexpected command execution or secret access if the implementation is invoked through auxiliary code paths. In an astrology skill, these capabilities are not obviously necessary from the manifest alone, so the hidden capability surface is more concerning.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description says it performs astrology analysis, but the behavior also includes outbound API calls and loading credentials/configuration from environment variables and a user config file. This is security-relevant because user birth data and questions may be transmitted to third-party services without clear disclosure, and credential/config loading expands the trust boundary beyond what the manifest communicates. The mismatch is especially risky for a user-facing skill handling sensitive personal data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads host-level configuration from ~/.openclaw/openclaw.json and also pulls API credentials from multiple environment variables, exceeding what is minimally necessary for an astrology skill. This broad host introspection increases the skill's access to secrets and deployment metadata, and could expose or misuse credentials if the skill is compromised or behaves unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill constructs an external OpenAI-compatible client and is designed to send astrology inputs to a remote LLM backend, but that outbound data flow is not evident from the stated skill description. Because the inputs include birth-derived personal data and analysis context, this creates an undisclosed third-party data transfer risk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Executing a shell command is not inherently required for astrology processing here, and the implementation does so unsafely using shell=True plus unsanitized input. In the context of a user-facing astrology skill, this expands the attack surface from text processing to arbitrary command execution.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger example uses a very generic phrase like '帮我分析一下', which overlaps with common conversation and can cause the skill to activate when a user did not specifically intend to invoke astrology functionality. In an agent setting, ambiguous triggers can route unrelated user content into this skill, causing inappropriate responses, privacy over-collection of birth data prompts, or interference with other tools.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README explicitly permits direct use from a generic phrase without clearly defining activation conditions, making invocation ambiguous. In multi-skill or assistant environments, this increases the chance of accidental activation and can lead the system to solicit sensitive personal data such as birth date, time, sex, and calendar type when the user may not have intended to engage this skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends detailed birth-chart context, gender, timing context, and user questions to an external LLM without any visible consent or disclosure mechanism in this file. Birth date/time and related derived data are sensitive personal information, so transmitting them to a third party creates privacy, compliance, and retention risks.

Ssd 1

Medium
Confidence
88% confidence
Finding
The prompt explicitly instructs the model to hide that its answer is based on supplied Bazi/dayun/liunian context and to avoid revealing the embedded prompting basis. Concealing material context from users can create deceptive outputs, undermine transparency, and make it harder for users or auditors to detect when the system is relying on injected, stale, or manipulated hidden inputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.