ClawHub

Yunshi

Security checks across malware telemetry and agentic risk

Overview

Yunshi looks like a legitimate local fortune-telling skill, but it needs Review because it stores sensitive birth and family profiles and sets up recurring push workflows with weak scoping and disclosure.

Install only if you are comfortable storing sensitive birth, relationship, preference, and push data as local JSON files. Use a private machine, lock down the profile directory, avoid pointing OPENCLAW_KNOWLEDGE_DIR at broad personal notes, review the cron/push setup before enabling it, and do not use guessable or untrusted user IDs for profile operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation promises WhatsApp as a push channel even though the skill metadata says pushes are only supported via Telegram and Feishu. This mismatch can mislead users into sharing contact details or expecting integrations the system does not actually implement, increasing privacy and trust risks and potentially causing downstream insecure ad-hoc handling.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The scheduled morning prompt explicitly instructs the agent to search current news, which expands the skill from local fortune generation into external information retrieval. This creates a trust-boundary mismatch with the skill description ('no external API') and can lead to unexpected network access, data disclosure in prompts, or policy bypass if users or operators assumed the skill was local-only.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The evening push has the same issue: it instructs the agent to search current evening news despite the skill advertising no external API use. In a scheduled context this is riskier because it happens automatically, potentially causing unanticipated outbound access and sending sensitive user context into external retrieval or model pipelines.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads markdown files from a directory controlled by the OPENCLAW_KNOWLEDGE_DIR environment variable, then ingests their contents into rule-building logic without constraining the path to a trusted workspace. In an agent/skill environment, a user or upstream process that can influence environment variables can cause the skill to read arbitrary local files from attacker-chosen directories, creating local file disclosure and unintended data ingestion risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad, common phrases such as "my horoscope" and "daily horoscope," plus multilingual generic divination terms. In voice or chat-driven agent environments, overly broad triggers can cause unintended activation, leading to privacy issues, unexpected processing of personal birth data, or invocation in unrelated conversations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that sensitive profile data is stored in `data/profiles/<userId>.json`, including birth details and family-member information, but the collection commands do not show an upfront warning or consent step at the moment of capture. Because this is intimate personal data and may enable long-term profiling through preference tracking and push history, silent persistence materially increases privacy risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The registration flow requests highly sensitive personal data up front, including full birth date, exact birth time, birth place, and later family-member data, before presenting privacy terms or explaining messaging-channel implications. In this skill’s context, that data is sufficient for detailed profiling and is especially sensitive because it can reveal identity, relationships, and routine notifications across external platforms.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script persists per-user push history and operational logs to local JSON files without any visible access controls, retention policy, minimization, or user-consent checks. In this skill's context, profiles contain highly sensitive personal and spiritual-profile data (names, birth/fate data, preferences), so retaining identifiers and activity records increases privacy risk if the skill directory, backups, or host environment are exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script generates authoritative-sounding marriage compatibility scores and explicit recommendations such as advising whether users should proceed cautiously with marriage, but it provides no disclaimer that the output is interpretive, entertainment-oriented, or unsuitable for major life decisions. In the context of a fortune-telling skill focused on relationships, users may reasonably rely on these outputs for consequential personal decisions, creating a meaningful safety and trust risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The scheduled message embeds personal profile data such as name, full BaZi details, and user ID into a prompt used for automated pushes. In a scheduler/agent environment, this increases privacy risk because sensitive personal data may be logged, stored with cron configuration, exposed to operators, or forwarded to other tools without any explicit privacy notice or minimization.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"docs": "docs"
  },
  "dependencies": {
    "iztro": "^2.5.8"
  }
}
Confidence
95% confidence
Finding
"iztro": "^2.5.8"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal