ClawHub

Suanming

Security checks across malware telemetry and agentic risk

Overview

This is a simple entertainment fortune-telling skill that asks for birth date details and generates canned readings, with no evidence of hidden access, network use, persistence, or destructive behavior.

Install only if you want an entertainment-style fortune-telling skill. Expect it to ask for birth date and possibly birth time, and treat its money, career, relationship, and health readings as generic entertainment rather than advice. If it activates from a vague phrase, confirm that the user actually wants a fortune-telling reading before proceeding.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description promises 六爻排盘 based on birth date/time, but the implementation uses a simplistic year/month/day digit heuristic and fixed lookup text. This is a security-relevant integrity issue because users may be misled into believing the system performs a more authoritative analysis than it actually does, which can influence personal, financial, or health decisions under false pretenses.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The module claims to calculate命理 from birth data, but much of the output consists of canned health, love, wealth, and career guidance derived only from a coarse element mapping. In this skill context, that can mislead users into treating generic or pseudo-personalized advice as individualized guidance, especially for health-related suggestions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad everyday terms such as '运势' and '算一算', which can cause the skill to activate in contexts where the user did not intend to request fortune-telling. This creates routing and consent problems: users may have unrelated conversations intercepted by a pseudoscientific analysis flow, leading to confusing or inappropriate responses.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal