Bazi Pan

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local astrology/fortune helper with a feature-accuracy mismatch, not evidence of unsafe access or malicious behavior.

Install only if you are comfortable treating the results as entertainment or informal reference. The skill may not correctly handle lunar dates or annual fortune calculations despite suggesting those capabilities, so avoid relying on it for serious personal, financial, medical, legal, or life decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill advertises capabilities it does not implement: it claims lunar-calendar input support and annual fortune (流年) output, but the described invocation only passes four numeric arguments and shows no lunar-to-solar conversion or yearly-cycle computation. This is dangerous because users may rely on inaccurate or fabricated astrological results produced from misinterpreted dates, undermining trust and causing downstream decision harm in a tool explicitly presented as requiring accuracy.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal