ClawHub

Vedic Horoscope

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims, but it asks for unusually sensitive identity, family, contact, and birth details without clear privacy or retention disclosures.

Review this carefully before installing or using it. Only submit this kind of personal and family data if you trust the service operator and have clear answers on why each field is needed, where it is sent, how long it is stored, who can access it, and how deletion is handled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The overview states that the service processes birth information and generates downloadable horoscope PDFs, but it provides no privacy notice, consent language, data minimization guidance, or retention/deletion details. Because horoscope generation involves personal identity and birth data that is transmitted to an external service, users may unknowingly expose sensitive personal information without understanding how it will be stored, shared, or reused.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The request schema includes highly sensitive personal fields such as full name, parents' names, mobile number, exact date/time of birth, and location, yet the documentation gives no warning about privacy exposure, storage, or downstream processing. In combination, these fields create a rich identity profile that could enable profiling, re-identification, social engineering, or misuse if the external service is compromised or logs requests insecurely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal