ClawHub

fortune-telling(算命)

Security checks across malware telemetry and agentic risk

Overview

This instruction-only fortune-telling skill asks for a birth date to generate entertainment readings and does not include code, external access, or persistence.

Safe to install based on the provided artifacts. Use explicit fortune-telling requests to avoid accidental activation, share only birth-date information you are comfortable using for entertainment, and do not rely on the generated health, financial, career, or relationship predictions for real decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Chinese example trigger uses very broad everyday phrasing such as asking to 'help me look at this week's fortune,' which can overlap with normal conversational text and cause unintended skill invocation. In an agent environment, overly generic triggers increase the chance of prompt hijacking of unrelated user requests or accidental routing of benign conversation into this skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The English examples like 'Read my fortune' and 'What's my weekly fortune?' are generic requests that could naturally appear in broader chat, making them insufficiently scoped for safe tool selection. This ambiguity can cause accidental activation when users discuss astrology, entertainment, or personal schedules, especially in systems that rely on semantic matching instead of exact commands.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger list includes generic phrases such as '今天运势 / 本周运势 / 本月运势' and similar English variants that could match normal conversation and cause the skill to activate when the user did not explicitly intend to invoke it. This is not a code-execution issue, but it can lead to unintended collection of sensitive birth-date information and confusing or unwanted responses.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal