ClawHub

Palmistry Ai Palm Reader

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed palm-reading API integration, but users should know palm photos are sent to ToolWeb and may count against paid API quota.

Install only if you are comfortable sending palm photos and request metadata to ToolWeb for processing. Use a dedicated or limited API key where possible, monitor quota or billing, and avoid uploading images of other people without their consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to send a palm photo to the skill, but it does not clearly disclose that the image may be transmitted to an external ToolWeb service for processing. Because palm images are biometric and potentially sensitive personal data, this omission can cause users to share data without informed consent and creates privacy/compliance risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill metadata and description use broad trigger phrases like palm reading, fortune reading, and line interpretation without strong narrowing conditions, which can cause the skill to activate in ambiguous contexts. Unintended invocation increases the chance that users share sensitive palm images or that the agent routes requests to a paid third-party service when the user did not clearly consent to that workflow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow instructs the agent to collect a palm image, convert it to base64, and send it to an external API, but it does not clearly require a user-facing disclosure or consent warning before transmission. Because palm images are biometric-like personal data and the skill also emphasizes mandatory API usage and billing, users may unknowingly have sensitive images sent to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal