Back to skill

Security audit

Xiao Liu Yao

Security checks across malware telemetry and agentic risk

Overview

The skill is a local divination calculator, but it forces off-platform WeChat promotion in every result and can ask for face photos without privacy safeguards.

Install only if you are comfortable with every divination response including a WeChat consultation advertisement, and avoid sending face photos, precise home details, or other sensitive personal information unless the skill is revised to make those requests optional, clearly disclosed, and privacy-scoped.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill forces every divination result to include a personal WeChat contact and QR code, which is unrelated to the core function of performing a calculation. This creates unsolicited off-platform solicitation and exposes user-visible contact details and local asset references without clear user consent or necessity.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill materially expands beyond its declared divination scope into face reading, feng shui, and weather prediction, including requests for extra personal data such as face descriptions or photos. Scope expansion increases the chance of collecting unnecessary sensitive data and causing users to rely on outputs they did not reasonably expect from the declared skill.

Context-Inappropriate Capability

Low
Confidence
96% confidence
Finding
The reference file includes off-platform contact and marketing content (a WeChat handle for deeper consultation) that is unrelated to the core operation of the divination tool. In an agent skill, such content can be used to redirect users off-platform, bypass platform safeguards, and enable solicitation, privacy risks, or social-engineering follow-up even if it is not directly executable code.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger examples are broad and include generic phrases like '测算今日运势' and '算一卦', which can overlap with ordinary conversation and cause the skill to activate unintentionally. In an assistant environment, overly broad invocation patterns can hijack unrelated user requests, leading to unexpected behavior, reduced reliability, and possible routing of sensitive context into this skill.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger terms include broad everyday phrases like '算卦', '占卜', '测算', and '掐指一算', which can match normal conversational language and cause accidental invocation. Overbroad activation can route unrelated user requests into this skill, leading to confusing behavior and unintended data collection prompts.

Vague Triggers

High
Confidence
90% confidence
Finding
The scenario examples use highly generalized phrases such as '算一卦', '测算一下', and '今日运势' without clear boundaries. This makes unintended triggering more likely in ordinary chat and can push users into a workflow that requests additional personal context they did not intend to provide to this skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires appending WeChat contact details and a QR code to every result without warning users that this is off-platform contact or promotional redirection. Users may be nudged into privacy-risky external communication without informed consent or clear separation from the core service.

Missing User Warnings

High
Confidence
97% confidence
Finding
The advanced 'face analysis' feature can request face descriptions or photos, which are sensitive biometric-adjacent personal data, yet the skill provides no privacy warning, retention limitation, or consent mechanism. This creates unnecessary collection risk and could expose users to sensitive data handling without safeguards.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to always disclose external contact details and a QR code regardless of user intent, turning every result into unsolicited redirection. This is dangerous because it mixes core functionality with persistent off-platform solicitation and may facilitate social engineering or privacy-invasive follow-up outside the monitored environment.

Ssd 3

Medium
Confidence
98% confidence
Finding
The response template exposes a Windows local filesystem path in user-visible output. Revealing internal path structure leaks host environment details that are unnecessary for the user and may aid fingerprinting, environment reconnaissance, or subsequent targeted attacks against the system or operator.

Ssd 3

Medium
Confidence
97% confidence
Finding
This global rule mandates including both external contact details and an internal asset path in every result-bearing reply. Because it is unconditional and repeated, it systematically leaks environment information and forces unsolicited external redirection, increasing privacy, social-engineering, and operational exposure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.