ClawHub

iaskaster

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its Bazi report purpose, but it grants broader local file, credential, payment, and install authority than users are clearly warned about.

Review before installing. Use only if you trust the provider with phone or email login plus detailed birth information, avoid invoking the file-read tool on arbitrary paths, independently verify the recharge destination, and remove .iaskaster-token, .iaskaster-uid, .iaskaster-session, downloaded PDFs, and generated screenshots when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes network and environment-backed capabilities without declaring corresponding permissions, which undermines least-privilege controls and informed review. In this skill's context, those hidden capabilities matter because the documented flow includes login, report retrieval, and external-service interaction, so undeclared access can mask sensitive data handling and outbound communication.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest presents the skill as a fortune-telling/PDF-report tool, but the described behavior extends into authentication flows, token/session storage, balance and recharge operations, browser launching, screenshot capture, and arbitrary file reading. This mismatch is dangerous because users and reviewers may consent to a low-risk content skill while actually granting a much more powerful tool access to credentials, local files, and payment-related actions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill includes recharge/payment functionality, browser launching via child_process, and Puppeteer screenshot automation that are not necessary for Bazi analysis or PDF generation. Expanding a fortune-telling skill to open payment pages and automate browser behavior increases attack surface and could trigger unwanted local actions or facilitate monetization abuse in an agent context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The iaskaster_read tool reads any caller-supplied filename and returns the file contents as base64, with no path restrictions or sandboxing. In an agent environment, this creates an arbitrary local file read primitive that can expose secrets, credentials, system files, or user documents completely unrelated to fortune-telling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that the skill calls an external iaskaster API to generate professional PDF fate-analysis reports, but it does not warn users that personal birth data and related inputs may be transmitted to a third-party service. In this skill context, that omission is more dangerous because fortune-telling/Bazi analysis typically requires sensitive personal information such as date and time of birth, creating a meaningful privacy and data-handling risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad triggers such as everyday terms like '运势' and '生成报告' can cause the skill to activate in contexts the user did not intend, increasing the chance of unexpected execution. In this case, unintended invocation is more serious because the skill can initiate login, status, report, and other externally connected workflows rather than just answering locally.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Ambiguous triggers like '登录状态', '生成报告', and '保存报告' overlap with many unrelated conversations and can route users into this skill unexpectedly. Because this skill includes authentication, report access, and download flows, accidental invocation can expose account state or lead to unintended external operations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill instructs users to provide highly sensitive personal data, including name, gender, birth date/time, and contact details for verification-code login, without any privacy notice about transmission, storage, retention, or third-party handling. That is dangerous because the workflow combines identity/contact information with personal profile data and sends it to an external service, creating privacy and compliance risk.

Missing User Warnings

High
Confidence
91% confidence
Finding
Authentication tokens and user IDs are stored in predictable local files in the working directory without any visible warning, permission hardening, or secure storage mechanism. On shared systems or multi-tool agent environments, these files may be exposed to other processes or accidentally committed, enabling account takeover or data access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Authentication tokens and user IDs are stored in predictable local files in the working directory without any visible warning, permission hardening, or secure storage mechanism. On shared systems or multi-tool agent environments, these files may be exposed to other processes or accidentally committed, enabling account takeover or data access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer unconditionally removes the existing target skill directory with `rm -rf "$SKILL_PATH"` and recreates it, which can destroy prior contents without prompting the user or validating what is about to be deleted. Although the path is quoted and derived from expected config locations, this is still a real unsafe installer behavior because a user may lose data or a previously customized installation if the script is run in the wrong context or with an unexpected config base.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script rewrites the user's `openclaw.json` in place via a Node one-liner, changing skill loading and installation settings without an explicit warning, backup, or transactional write. This is dangerous because malformed JSON, unexpected schema differences, or partial writes can corrupt the user's configuration and alter future application behavior beyond just enabling this skill.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger set includes generic terms like “登录”, “验证码”, “报告”, “结果”, “查看”, and “下载”, which are common in unrelated conversations and can cause the skill to activate outside its intended fortune-telling context. Because the skill has network access, authentication flow, and handles sensitive personal data, accidental invocation could lead to unnecessary collection or transmission of contact details and birth information to an external service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest explicitly states that a PDF will be downloaded to local storage, but it does not clearly require an explicit runtime confirmation or warn about where the file will be written. In a skill that generates sensitive personal reports from birth details and account-linked data, silent or unclear local writes can expose private information to other local users, backups, sync services, or later unintended access.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal