Back to skill

Security audit

Star Mansion Master

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only Chinese astrology and social-media content skill whose data requests and local preference file are disclosed and fit its purpose.

Safe to install for astrology-style lookup and social content drafting. Avoid sharing full identifying birth details when month and day are enough, review any saved EXTEND.md preferences, and review the separate aura-content-strategist skill before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The templates explicitly encourage users to send personal birth-date information via private message without any privacy notice, data-minimization guidance, or handling restrictions. Birth dates are personal data and can be combined with other context for profiling, identity correlation, or further social engineering, especially in a relationship-analysis skill that invites sensitive interpersonal disclosures.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The setup flow is entirely in Chinese and does not offer a language selection or fallback, which can exclude or mislead users who invoke the skill using English trigger terms such as 'star mansions' listed in the metadata. In a user-facing agent skill, this creates an accessibility and consent problem because users may be forced into a language they did not choose, increasing the chance of incorrect inputs and poor downstream guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.