ClawHub

Fortune Daily

Security checks across malware telemetry and agentic risk

Overview

This is a coherent horoscope skill, with privacy-relevant birthday storage and optional push delivery that users should understand before enabling.

Before installing, decide whether you are comfortable storing birthday, zodiac, and push preference data in MEMORY.md. Clear the bundled MEMORY.md sample data before real use, enable daily push only after explicit user opt-in, and verify how your OpenClaw runtime handles message delivery and deletion/reset of stored profile data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly reads and writes persistent personal birth data in MEMORY.md to support personalization, but the workflow does not clearly warn users that this sensitive profile data will be stored. Birth date and related profile attributes are personal data, and silent persistence creates privacy, consent, and retention risks, especially if shared across sessions or accessible to other components.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill supports automated delivery of personalized fortune content through external channels and records push metadata, but it does not clearly disclose that personalized data may be transmitted outside the current conversation context. Even if the content is low sensitivity, linking horoscope output with stored identity traits and delivery preferences can expose personal profile information or create unwanted disclosure through third-party channels.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal