ClawHub

Interpret Fate Via Ziwei

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Ziwei astrology skill, but users should know that birth details and gender may be placed into a third-party chart URL.

Install only if you are comfortable providing precise birth details and a binary gender parameter for astrology interpretation. Prefer the local calculation path with a trusted Node.js and iztro installation; only open or share the generated ziwei.pub link if you are comfortable exposing the embedded personal details to that third-party site and anyone who can see the URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks for highly sensitive personal data including full birth date, time, and gender, which can be used for profiling or identity-related inference, but it provides no privacy notice, minimization guidance, or explanation of how that data will be handled. In this context, the data is not obviously collected for a harmful purpose, but the omission creates avoidable privacy and misuse risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to generate a third-party URL containing the user's birth date, gender, calendar type, and leap-month status as query parameters, which exposes personal data through links, browser history, logs, referrers, and external services. Because the destination is an external astrology site, this meaningfully increases disclosure risk beyond the local skill context.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill requires a binary gender choice without offering alternatives or explaining why that field is necessary, which can exclude users and force disclosure of sensitive personal information. In this astrology context the field may be used by the underlying method, so the issue is less about direct security compromise and more about privacy and inappropriate data collection design.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal