ClawHub

king-wen-hexagrams

Security checks across malware telemetry and agentic risk

Overview

This is a coherent divination skill that stores optional profile details locally and only suggests scheduled reminders after user opt-in.

Install only if you are comfortable saving divination profile details locally. Review any generated cron command before adding it, because scheduled reminders can include your profile details in the task message; use the state script to inspect or clear saved data when needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the skill can collect personal profile data such as lunar birthday, gender, and optional birth hour, and may help configure a daily-fortune cron job, but it does not clearly disclose privacy handling, storage behavior, retention, or the operational impact of modifying scheduled tasks. This can mislead users into providing sensitive personal data or approving system-level automation without informed consent, especially because installation and onboarding are presented as a normal part of setup.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly asks for sensitive personal profile data, including birthday, sex, and optionally birth time, but the markdown does not tell users how that data is stored, retained, or protected. Because the skill also supports persistent daily fortune and profile initialization flows, users may reasonably assume ongoing storage, making silent collection of personal data riskier than a one-off conversational prompt.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly encourages collection of sensitive personal data such as lunar birth date, sex, and optionally birth time, but provides no notice about why the data is needed, how it will be stored, whether it is retained across sessions, or how it is protected. In a divination/profile context, this creates unnecessary privacy risk and potential misuse of persistent personal profiling, especially because the data is framed as helpful for ongoing use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The daily-fortune workflow asks for recurring profile data and scheduling details, including birth data, sex, execution time, and timezone, without warning users that this may enable automated recurring processing or persistence of personal information. This increases privacy risk because repeated scheduled use can build a longitudinal profile of the user without transparent disclosure or controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding explicitly asks users to provide sensitive personal data, including lunar birthday, gender, optional birth hour, and potentially timezone, and later references commands that save and display the stored profile. Although the text says users may decline, it does not clearly disclose retention, storage location, access scope, deletion, or privacy risks, which can lead to unnecessary collection and exposure of personal data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "帮我占一下" is broad enough to match ordinary conversational requests and can cause the skill to activate when the user did not explicitly intend to invoke this specific divination workflow. In an agent environment, ambiguous activation can route unrelated user input into a spiritually framed guidance flow, creating confusion, mis-scoped assistance, and possible privacy exposure if the skill begins collecting profile or question details unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes personal profile data such as lunar birthday, gender, birth hour, and scheduling preferences to a predictable file in the user's home directory without any warning, consent flow, or file-permission hardening. On multi-user or poorly configured systems, this can expose sensitive personal data to other local users or backups/logging systems, creating a privacy and confidentiality risk that is heightened because the skill collects quasi-personal profile information unrelated to strict computation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly asks users to provide personal profile data such as lunar birth date, gender, and optionally birth hour, and says these may be 'recorded' without any accompanying privacy notice, retention limits, or explanation of how the data will be stored and used. In a divination skill, this data is not strictly necessary for all use cases, so collecting it by default increases privacy risk and can expose sensitive personal attributes if logged, retained, or reused improperly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal