ClawHub

bazi-calc

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Bazi chart calculator, with the main privacy caveat that it tells the agent to use web search for some calendar checks involving birth details.

Reasonable to install if you want Bazi chart calculations. Avoid adding unnecessary personal identifiers, and when the agent uses web search for lunar conversion or almanac verification, keep queries limited to the minimum birth date, time, and location information needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill is presented as a pure calculation tool, but it instructs the agent to use web search for lunar-to-solar conversion. That expands the skill's capability from local computation to external network access and may transmit sensitive birth information to third-party services without necessity or user awareness.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Mandating web search to cross-check the computed day pillar against an external almanac introduces unnecessary outbound access for a computation-only skill. This creates avoidable data exposure and dependency on untrusted external content, increasing both privacy and integrity risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Birth date, time, and possibly location are personal data, and the skill instructs web search using that information without any privacy notice or consent flow. Sending such data to search engines or third-party sites can expose sensitive personal attributes and create an unnecessary privacy leak.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The requirement to verify results through web search means user-derived birth information may be exposed externally, yet the skill provides no disclosure of that privacy implication. Because this verification is framed as mandatory, users are denied a meaningful chance to opt out of third-party data sharing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal