Security audit

星座宝典(AI付版) - 聚合数据

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed paid horoscope lookup skill with limited data use and no executable code, though users should avoid any real testing over plain HTTP.

Install only if you are comfortable with a paid Alipay-backed horoscope lookup. Confirm the displayed price and order details before paying, verify the required Alipay payment skills, and avoid using real queries or payments in any plain-HTTP local test setup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly permits plain HTTP transmission in local testing, which removes transport encryption and enables interception or tampering of query parameters and server responses on any untrusted network. Even if the payload is limited to constellation name and period, the response flow includes payment-related behavior, so insecure transport can expose metadata or allow manipulation during testing that may be copied into broader deployments.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal