Back to skill

Security audit

wuxing-daily

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed fortune-telling/wellness skill with local calculation scripts and an optional cron reminder, but no evidence of hidden data access, exfiltration, or destructive behavior.

Install only if you are comfortable running local Python scripts for fortune/lunar calculations. Enable the cron reminder only deliberately, after checking the exact command and knowing how to list and remove the scheduled task. Treat health, finance, and decision advice as cultural entertainment, not professional medical, financial, or legal guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs use of `cron add` to create a host-level scheduled task, which modifies system state and introduces persistence. Even though it is framed as a reminder feature, scheduling commands can be abused to run arbitrary code repeatedly, and the skill does not include guardrails such as explicit consent, least-privilege guidance, or removal instructions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes creating a cron-based reminder without an explicit warning that it will modify scheduled tasks on the host. This is dangerous because users may not realize the skill is establishing persistent execution, and such behavior increases the attack surface if commands or paths are later altered.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file provides health-related advice tied to organs, body systems, and lifestyle recommendations without any disclaimer that the content is traditional/cultural guidance and not medical advice. In a wellness or fortune-telling skill, users may over-trust these recommendations and delay seeking appropriate professional care, especially when the text references specific organs such as lungs, liver, kidneys, heart, and digestive system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.