ClawHub

紫微斗数排盘解盘

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local astrology charting helper, with the main caution that optional fixture files can store private birth details on disk.

Install only if you are comfortable using a local Node CLI for astrology charting. Treat birth time, birthplace, gender, longitude, and generated fixtures as private; keep personal fixture JSON files out of shared repos and delete them when no longer needed. Run the longitude regeneration script only when you intentionally want network requests to refresh bundled location data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance explicitly tells users to save full CLI stdout together with birth inputs such as birth time, gender, birth place, and optional longitude. In this skill context, that data is highly sensitive personal information, and storing it in fixtures or attaching it to model conversations increases the risk of unintended retention, sharing, or repository leakage without any privacy warning, minimization, or redaction guidance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script explicitly persists both the full CLI input and full CLI output into a fixture JSON on disk. In this skill’s context, the input includes birth time, birthplace, gender, and potentially other personal astrology data, which can be sensitive personal information; saving it without minimization, redaction, retention controls, or an explicit warning increases the risk of unintended disclosure through source control, backups, shared workspaces, or fixture reuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal