ClawHub

Astrology API

Security checks across malware telemetry and agentic risk

Overview

This is a coherent astrology API wrapper, but it needs Review because it can send sensitive personal details and an API key through an under-scoped curl helper.

Install only if you are comfortable sending astrology inputs such as birth details, names, relationship data, palm images, and wellness-related prompts to the Astrology API provider. Do not let prompts or users supply arbitrary endpoint strings, do not override ASTROLOGY_API_URL unless you trust the host, and prefer a version that validates endpoints against an allowlist before sending the API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly demonstrates sending highly sensitive personal data, including full birth date, time, location, and name, to a third-party API without any privacy warning, consent guidance, or data-handling disclosure. In an agent skill context, this increases the risk that users or downstream agents will transmit personal profile data automatically without understanding that it leaves the local environment.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation criteria are extremely broad, covering many common personal topics and loosely related esoteric requests. This increases the chance the skill will be invoked in contexts where users do not expect third-party API transmission of personal or sensitive data, especially birth details and relationship data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to gather highly sensitive personal data, including full birth date, time, city, relationship data, and names, but does not provide a user-facing disclosure that this information will be sent to an external service. Because this data can be identifying and privacy-sensitive, silent transmission meaningfully increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly defines collection of personal data fields such as name, email, notes, and birth data without any accompanying privacy notice, sensitivity warning, or guidance on safe handling. In this skill context, those fields are central to the API and can enable collection of highly identifying personal information, increasing the chance that downstream agents request, store, or transmit sensitive data without informed user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The palmistry section documents endpoints accepting image_url and image_base64 for hand images, but provides no warning that these uploads may function as biometric-style sensitive data and may also expose users to risks from remote image fetching. In this skill context, image-based spiritual analysis makes it especially likely that users will submit intimate personal images casually, without understanding sensitivity, retention, or third-party processing implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This reference maps many user intents directly to endpoints that inherently require highly sensitive personal data such as birth date, birth time, birthplace, relationship data, and in some cases health or fertility-related inputs, but it provides no warning about privacy, data minimization, or safe handling. In a skill designed to guide endpoint selection, that omission can cause agents to solicit and transmit sensitive data too casually, increasing the risk of over-collection, inappropriate disclosure, and privacy harm.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends user-supplied endpoints and POST bodies to an external third-party API using an authentication token, but it provides no user-facing disclosure, confirmation, or restriction on what data is transmitted. In this skill context, users are likely to submit sensitive birth data and related personal details, so silent transmission to a remote service creates a meaningful privacy and data-handling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
BODY="${3:-}"

if [ "$METHOD" = "GET" ]; then
  curl -s -X GET "${BASE_URL}${ENDPOINT}" \
    -H "Authorization: Bearer ${ASTROLOGY_API_KEY}" \
    -H "Accept: application/json"
elif [ "$METHOD" = "POST" ]; then
Confidence
84% confidence
Finding
curl -s -X GET "${BASE_URL}${ENDPOINT}" \ -H "Authorization: Bearer ${ASTROLOGY_API_KEY}" \ -H "Accept: application/json" elif [ "$METHOD" = "POST" ]; then if [ -z "$BODY" ]; then echo "

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal