ClawHub

Than Cuu Numerology Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only numerology skill that asks for personal identifiers and saves results locally, but it discloses those behaviors and shows no code execution, network transfer, credential use, or hidden destructive behavior.

Install only if you are comfortable giving the assistant full names and birth dates for this numerology workflow and having the resulting analysis saved in a local knowledge base. Do not provide ID numbers, identity-document images, addresses, or third-party personal data without permission. Review and delete saved files or index entries if you do not want these analyses retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file claims a numerology-style analysis based on full name and date of birth, but the actual content is a long personality questionnaire resembling a different assessment model. This mismatch can mislead users about what data is needed and how it will be used, undermining informed consent and creating risk of deceptive data collection.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The document requests full legal identity details tied to government ID conventions and extensive questionnaire answers beyond the manifest's stated inputs. Collecting more sensitive data than advertised violates data minimization principles and increases the chance of privacy harm, profiling, or misuse if the data is stored or shared.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs automatic persistence of full numerology analyses along with names and dates of birth into a local knowledge store without any explicit consent, warning, or retention limits. This creates a privacy and data-minimization problem because sensitive personal data and derived profiling data are retained and made reusable beyond the original request.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly instructs users to use highly sensitive identity documents such as CMND/CCCD to obtain name and date-of-birth data, but provides no privacy notice, minimization guidance, consent requirement, retention limit, or warning about handling regulated personal data. In a personality-analysis skill, this unnecessarily normalizes collection of identity-linked information and increases the risk of overcollection, disclosure, or downstream misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that analysis may rely on multiple categories of closely related personal data, including birth name, alias, personal ID, birth date, and home address, without any discussion of privacy impact or necessity. Because the skill is for numerology/personality assessment rather than an essential regulated service, the broad data collection is contextually more dangerous and disproportionate.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The file explicitly asks users to provide personal information in a form matching government identification records, but provides no privacy warning, consent language, or data-handling explanation. In a personality-analysis context, this is especially risky because it combines identity-linked data with sensitive inferred traits, enabling invasive profiling.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly directs the agent to persist full derived personality analysis based on personally identifying inputs into a reusable knowledge repository and index. In this context, that is especially risky because the inputs include full legal names and dates of birth, and the outputs are sensitive inferred attributes, increasing the privacy harm of later disclosure, unintended reuse, or cross-session access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal