Astro Life Insights

Security checks across malware telemetry and agentic risk

Overview

This is a local astrology skill that stores birth-chart details on the user’s machine for its stated purpose, with no evidence of hidden exfiltration or unsafe automation.

Install only if you are comfortable storing your birth date, birth time, and birthplace in a local JSON file at ~/.config/astro-life-insights/natal-chart.json. The reviewed artifacts do not send that data to external services, but local backups, shared user accounts, or other local software could still expose it. Be aware that the documented upcoming.js command appears to be missing in this version.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script collects highly sensitive personal data related to a user's birth date, time, and location, then writes it to a persistent local file without any clear privacy notice, consent language, or mention of retention. While this is not an exploit primitive by itself, it creates privacy risk because other local users, backup systems, malware, or unintended file sharing could expose this data, and users are not explicitly informed before storage occurs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal