ClawHub
Back to skill

Security audit

奇门遁甲排盘

Security checks across malware telemetry and agentic risk

Overview

This is a local divination charting skill with disclosed Node.js scripts and no evidence of hidden data access, network use, persistence, or privileged actions.

Install only if you want a traditional divination/charting helper. Run it without elevated privileges, be explicit before using any report-sharing workflow, and do not rely on its health, legal, or investment readings for real-world decisions; consult qualified professionals for those topics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
Overly broad trigger words like '奇门', '占卜', '吉凶', or '吉方' can cause unintended activation in unrelated conversations. In an agent environment, accidental invocation may lead to confusing responses, context hijacking, or execution of the skill's workflow when the user did not intend to use it.

Vague Triggers

Low
Confidence
81% confidence
Finding
The trigger examples lack boundaries and exclusion criteria, which increases the chance that the skill will activate on loosely related user messages. While the impact is limited by the benign nature of the skill, ambiguous routing can still degrade reliability and cause unintended tool use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section gives health-related interpretive guidance about disease severity, treatability, doctors, and treatment outcomes without any disclaimer that it is not medical advice. In a divination skill, users may rely on these statements to delay or avoid professional care, especially where the text suggests whether an illness is serious or curable.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal