Back to skill

Security audit

Yunshi

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real astrology skill, but it needs Review because it stores sensitive birth and family data and uses scheduled agent prompts that can search the web and run local tracking commands.

Install only in a private or well-isolated workspace unless you add access controls around profile files and userId-based lookups. Avoid storing real names, exact birth details, or relatives' data unless users understand the retention and deletion limits. Review or disable cron pushes if you do not want unattended web searches, local command execution, preference tracking, or sensitive readings appearing in runtime logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill description understates materially relevant behaviors: it stores sensitive personal profiles, tracks user preferences over time, manages scheduled push jobs, and relies on local filesystem state. This mismatch can mislead users and operators about the actual privacy and persistence footprint, undermining informed consent and making it easier to deploy the skill without appropriate safeguards for sensitive birth/family data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The registration flow advertises scheduled push delivery to Telegram, Feishu, and WhatsApp, which implies outbound messaging integrations, persistent user contact data, and ongoing processing beyond the stated local/no-external-API astrology scope. This creates a scope-expansion and transparency problem: users may provide data under one trust model while the documented behavior suggests broader data use and potentially external data transfer.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The privacy notice promises that users can request deletion, but this file only defines collection and storage-related flows and provides no deletion workflow, command, or operational behavior. Making unsupported deletion claims is dangerous because users may rely on a privacy control that does not actually exist, leaving sensitive birth and profile data retained unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The `--list` mode prints personally identifying information (`name`, `userId`), push configuration, last-push metadata, and full BaZi birth-chart details for every subscribed user. In a multi-user host, shared logs, CI/cron environment, or admin shell context, this creates unnecessary exposure of sensitive profile and birth-derived data beyond what is needed to deliver fortunes.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
`sendMessage` logs the full personalized fortune to stdout while comments state it will be sent to the user by the runtime. Because the message contains personal profile-derived content, stdout may be captured by cron logs, platform logs, or other operators, causing unintended disclosure and a mismatch between developer expectations and actual data handling.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function claims to compute annual flying-star placements for any year, but it implements only a simplistic 3-year cycle and returns generic star names that are inconsistent with later logic expecting names like '一白贪狼'. In a fortune-telling/feng shui skill, incorrect calculations directly undermine the integrity of the advice and can systematically produce wrong annual recommendations.

Intent-Code Divergence

Low
Confidence
98% confidence
Finding
The wealth-position analysis hard-codes the label '流年财位(2026)' regardless of the supplied year, which causes the report to misrepresent time-sensitive output. This is a data integrity flaw: users may believe they are receiving year-specific advice when the displayed label is objectively incorrect.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The CLI exposes bulk administrative operations over all locally stored profiles, including listing all users, showing complete records, updating arbitrary fields, and deleting profiles, with no authentication, authorization, or role separation. In a skill that handles highly sensitive personal and family birth data for fortune-telling, this creates an unnecessary over-broad data access surface and increases privacy risk if the script is run by an unintended local user or integrated into a wider agent workflow.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The morning push prompt explicitly instructs the agent to search current news and incorporate it into outputs, which exceeds the declared 'no external API required' and built-in/local divination scope. This creates a scope-expansion risk: the scheduled job may perform unintended external retrieval and produce outputs based on live data sources not disclosed to users, increasing privacy, integrity, and prompt-injection exposure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The evening push prompt likewise directs retrieval of 'important evening news' and asks the agent to forecast impacts, again contradicting the advertised self-contained functionality. In a scheduled unattended context, this broadens capabilities and increases the chance of external-content abuse, hallucinated sourcing, or prompt-driven behavior outside the user-expected astrology function.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The prompt instructs the agent to run local Node commands, including a preference-tracking record operation, from within an automated push workflow. Embedding command execution instructions in free-form scheduled messages is dangerous because it couples content generation with side effects, expanding the blast radius if the prompt is manipulated and enabling undisclosed tracking unrelated to the core user-visible divination output.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The evening prompt repeats the pattern of directing local script execution and engagement tracking during scheduled message generation. This is risky because unattended cron-driven prompts should not contain operational instructions that can trigger filesystem or process-level actions; doing so mixes presentation logic with privileged behavior and can lead to unauthorized state changes or opaque telemetry collection.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script pre-creates structured records for spouse, father, and mother, encouraging storage of third-party sensitive personal data that is not necessary for initial registration. In this skill context, the data is highly personal birth information used for divination, so silently expanding storage to family-member profiles increases privacy risk and data collection beyond the user's own registration scope.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads all Markdown files from a path controlled by the OPENCLAW_KNOWLEDGE_DIR environment variable, or from a workspace directory under the user's home directory, and then incorporates their contents into analysis output. This creates a local file disclosure and untrusted-content ingestion risk: a caller who can influence the environment or workspace contents can cause the skill to read arbitrary local files from unintended locations and surface sensitive data or adversarial instructions through the generated astrology output.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Very broad trigger phrases such as generic fortune-telling and horoscope terms increase the chance of unintended activation during ordinary conversation. In a skill that handles sensitive profile data and automated push behavior, accidental activation can lead to unnecessary collection, storage, or processing of personal information without clear user intent.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The usage guidance includes vague utterances like '算命', '看运势', and '占卜', which are common conversational phrases and may cause the skill to activate when the user did not intend to invoke a stateful astrology assistant. Because the skill also supports profile management and behavioral tracking, this ambiguity raises privacy and consent risks beyond a harmless false activation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises automatic morning/evening push delivery but does not pair that feature with a prominent warning about ongoing notifications, persistent profile use, and continued processing of stored personal data. This is risky because users may enable pushes without understanding that the system will keep using their birth/profile information on a recurring basis.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The template defaults users to Asia/Shanghai timezone and Chinese language before user choice, which can cause inaccurate fortune calculations and unwanted profiling assumptions based on locale and language. In this skill, birth time and calendar interpretation directly affect astrology outputs, so an incorrect timezone or language default can materially alter generated readings and silently process personal data under incorrect assumptions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The registration flow collects sensitive personal data including full name, sex, exact birth date, exact birth time, and birthplace before giving a clear upfront notice about processing risks, retention, consent, and sharing. In the context of an astrology skill, exact birth details are essential for functionality, but they are still highly identifying and sensitive, so weak notice and consent handling increases privacy and misuse risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The family-member feature invites users to submit third-party personal data for spouses, parents, and children without any warning about authorization, consent, or the sensitivity of those individuals' birth information. This is particularly risky because the skill processes detailed identity-linked data for people who may have no awareness or ability to exercise privacy choices.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script loads user profile JSON files directly from disk and then includes personal fields such as name and full BaZi data in the generated marriage report. In the context of an astrology skill, this is privacy-relevant personal data, and there is no access control, minimization, consent check, or warning before disclosure, so one user could potentially retrieve and expose another user's stored profile data if user IDs are guessable or improperly supplied.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code persists sensitive profile information, including birth details and family-member data, directly to local JSON files without any consent prompt, retention notice, or privacy control. In this skill context, the stored data is especially sensitive because it includes not just one user's data but also relatives' personal information, so silent persistence raises meaningful privacy and compliance concerns.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script prints full profile contents and family-member information, including names, birth dates, birth places, gender, and astrology data, directly to stdout. Terminal output may be captured in logs, shell history, CI runs, or shared consoles, so exposing this data without masking or warning can leak sensitive personal information beyond the intended recipient.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script accepts user BaZi data from command-line arguments and echoes it back to stdout without any privacy notice, minimization, or masking. In a skill handling spiritual/fortune-telling inputs, this can expose sensitive personal profile data through shell history, logs, screenshots, terminal scrollback, or higher-level platform telemetry.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.