Astro Transits

Security checks across malware telemetry and agentic risk

Overview

This is a local astrology calculator whose disclosed file saving and birth-data handling fit its stated purpose.

Install the Python dependency in a virtual environment, and keep saved natal chart JSON files private because they contain birth date, time, timezone, and location coordinates. Choose --save paths carefully to avoid overwriting unrelated files.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documentation instructs the agent to generate and save a natal chart JSON file (`--save natal.json`), which implies file-write capability, but the metadata declares no required permissions. This mismatch can cause the runtime or reviewer to underestimate the skill's capabilities, and if executed in a broader agent context it could enable unintended writes or bypass permission expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal