Security audit

bazi-fortune-analysis

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only BaZi astrology skill whose personal-data requests fit its stated purpose, with privacy caution needed before use.

Install only if you are comfortable sharing birth details for an astrology reading. Use approximate or limited details where possible, and treat health, finance, relationship, and life advice as cultural or entertainment guidance rather than professional advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly asks for full birth date, time, birthplace, and sex, which are sensitive personal attributes and can increase privacy and profiling risk if collected without a clear warning, minimization guidance, or handling policy. In this context, the data is central to the astrology workflow, so the collection is functionally relevant rather than malicious, but the absence of privacy notice and safer collection boundaries still makes it a real privacy weakness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.