Liuyao Bagua

Security checks across malware telemetry and agentic risk

Overview

This is a local fortune-telling skill that runs an included Python script and does not show network sharing, credential access, persistence, or destructive behavior.

Install only if you want the agent to perform entertainment-style fortune readings from birth dates. Because the trigger wording is broad, ask the agent to confirm before running it on casual career, wealth, destiny, or birth-date mentions, and avoid providing another person's birth date without permission.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger conditions are broad enough to match common conversational topics such as destiny, fortune, career, and wealth, which can cause the skill to activate when the user did not explicitly ask for divination. That creates unintended tool execution and unnecessary collection/use of sensitive personal data such as birth dates, increasing privacy and safety risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal