Back to skill

Security audit

Star Horoscope - 星座运势

Security checks across malware telemetry and agentic risk

Overview

This is a coherent horoscope lookup skill that calls TianAPI with a user-provided API key, with some credential-handling guidance users should treat carefully.

Install only if you are comfortable sending horoscope query parameters and your TianAPI API key to TianAPI. Prefer setting TIANAPI_STAR_KEY as an environment variable or using a secret manager, avoid passing the key on the command line, and do not commit scripts/.env to version control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance uses broad triggers like asking about horoscope or daily fortune, without clearly limiting when the skill should activate or when user consent is needed before contacting a third-party service. This can cause over-broad invocation and unnecessary transmission of user queries to an external API.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not provide a clear user-facing warning that horoscope requests, including the queried sign/date and the user's API key, are sent to a third-party service. Missing transparency around external transmission undermines informed consent and can expose user data and secrets to services they did not realize were involved.

Credential Access

High
Category
Privilege Escalation
Content
# 方式一:环境变量(推荐,一次配置永久生效)
    export TIANAPI_STAR_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_STAR_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
export TIANAPI_STAR_KEY=你的APIKey

    # 方式二:.env 文件(在脚本目录创建)
    echo "TIANAPI_STAR_KEY=你的APIKey" > scripts/.env

    # 方式三:每次命令行传入
    python3 scripts/fetch_star.py 你的APIKey 狮子座
Confidence
97% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.