Back to skill

Security audit

Pubtest

Security checks across malware telemetry and agentic risk

Overview

This is a coherent I Ching reference and divination skill, with the main privacy consideration being local logging of readings.

Before installing, consider whether you are comfortable with readings being saved locally in the skill's CSV/JSON history files. Avoid entering sensitive health, legal, financial, or relationship details unless you intend to keep a local record, and consider clearing or disabling the log if privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description uses broad trigger language such as requests to '起卦、解读卦象、查询64卦卦辞爻辞或进行占卜分析', which can match a wide range of generic interpretation requests and cause over-activation. Overly broad activation increases the chance the agent invokes this skill in unrelated contexts, leading to inappropriate handling of user input and unnecessary access to associated reference/logging behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents persistent storage of divination history in `yijing-log.csv`, including date, subject of consultation, line values, and derived results, but does not specify any user-facing notice, consent flow, retention limit, or deletion mechanism. Because '占何事' may contain sensitive personal matters such as health, family, finances, or disputes, silent logging creates a privacy risk and potential unauthorized retention of intimate user data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.