BaZi Chart Calculator (八字排盘)

Security checks across malware telemetry and agentic risk

Overview

This is a local BaZi chart calculator with no evidence of hidden data access, persistence, or unsafe actions, though one calculation bug may affect accuracy.

Install it in the documented virtual environment and consider pinning ephem if reproducible results matter. Birth details are personal information, but these artifacts appear to process them locally without storing or transmitting them. Treat results near solar-term boundaries with caution until the time conversion issue is fixed or tested against trusted references.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The implementation contradicts its own contract: `_find_solar_term_moment` says it returns UTC, but it subtracts 8 hours from a value already marked as UTC before later converting to CST. This can systematically shift solar-term boundaries and cause incorrect month pillar, adjacent-jie, and luck-cycle calculations, which is integrity-impacting in a divination/calculation skill even if it does not create code-execution risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal