MeiHuaYi

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed local MeiHuaYi divination skill, but users should know it keeps local records of their questions and readings.

Install only if you are comfortable with local recordkeeping. Avoid entering sensitive personal, medical, legal, financial, or relationship details unless you are willing for them to be stored in the skill's local SQLite files. For offline or stricter environments, keep the bundled iching.json present or block the conditional GitHub fetch, and treat readings as cultural or entertainment-oriented rather than decision-grade advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares no permissions, but the documentation describes capabilities consistent with file read/write and likely network access. This creates a trust and review gap: operators and users cannot accurately assess what the skill will do, especially since it persists user content locally and may fetch remote data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The stated purpose is a divination tool, but the documented behavior expands into remote data download, persistent SQLite storage, record querying/updating, and learning-note maintenance. That mismatch is dangerous because users may disclose sensitive questions believing they are using a simple local analysis tool, while the skill performs broader data collection and lifecycle management than advertised.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The module performs a network download automatically at import time, which creates hidden side effects simply by loading the skill. This expands the trust boundary to an external GitHub-hosted resource and can enable supply-chain abuse, unwanted outbound connections, nondeterministic behavior, or denial of service if the remote resource changes or becomes unavailable.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: A divination skill has no obvious need for live external network access, yet it can fetch remote content from a third-party URL. Unnecessary network capability increases attack surface, leaks execution metadata, and allows remote content to influence local behavior without strong validation or provenance guarantees.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill says every divination must be automatically saved, including question, time, pattern, reasoning, and conclusion, but provides no clear privacy notice, consent flow, retention period, or deletion controls. Because divination questions can involve highly personal topics, silent persistence materially increases privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the AI to collect detailed contextual information such as location, nearby people, sounds, colors, and activities, yet gives no privacy warning or minimization guidance. These details can reveal sensitive personal context and, when combined with stored questions and timestamps, make re-identification and overcollection more likely.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This content gives structured divination methods, prescriptive judgment rules, and timing guidance for topics like health, work, finances, and travel, but does not warn users that outputs are interpretive, non-evidence-based, and unsuitable for important real-world decisions. That omission can cause users to over-trust the skill’s advice in consequential situations, increasing the risk of harmful decisions or delayed professional help.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The module persists highly sensitive user content such as questions, analyses, conclusions, and feedback to a local SQLite database automatically, but the code shown provides no notice, consent flow, retention policy, or access controls. In the context of a divination skill, users may enter intimate personal, financial, relationship, or health-related information, so silent storage increases privacy and confidentiality risk if the host system is shared, backed up, or later accessed by other tools.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The migration routine silently imports legacy JSON records into SQLite and then renames the original JSON file to a backup, creating an additional persisted copy of potentially sensitive historical data without clear user awareness. This expands the data exposure surface because both the new database and the backup may remain readable on disk, prolonging retention of private divination history.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the AI to always save users' questions, analyses, and conclusions and later use them as records. This creates a natural-language data retention risk because sensitive user disclosures become durable artifacts that may be exposed later through listing, querying, or detailed display features.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill directs the AI to solicit rich contextual personal details as part of ordinary conversation, and the surrounding design indicates those details may become part of persisted divination records. This is dangerous because it normalizes oversharing and increases privacy leakage without strong necessity, especially in a tool users may treat as intimate or confidential.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill supports plain-language listing, searching, pending-view, and detailed display of stored records containing full questions, analyses, conclusions, and feedback. In context, this makes previously stored sensitive content easily retrievable and disclosable, raising confidentiality risk for anyone with access to the skill environment or shared terminal/session.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal