ClawHub

命理大师

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Chinese astrology/divination skill with local profiles and opt-in LLM and push features, but it needs careful handling of API keys and personal profile data.

Install only if you want a Chinese fortune/divination toolkit. Keep profile files private, avoid adding family members without consent, and use the delete/opt-out controls when done. If you enable Liuyao LLM interpretation, use a separate limited API key and avoid custom endpoints unless you fully trust the server. Daily push is opt-in, but be aware of the confirmed logging bug and the unrelated package name/slug mismatch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The template collects and persists personal data for spouse, parents, and potentially children, which goes beyond a narrowly scoped user profile and increases the amount of sensitive data stored. Even if storage is local-only, this expands privacy risk, consent issues, and the blast radius if the profile file is exposed, copied, or mishandled.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The page explicitly allows a user to send both their divination question and their API credential to an arbitrary custom endpoint. Even with warnings and HTTPS checks, this creates a direct exfiltration path for sensitive user content and bearer tokens to an attacker-controlled server if the user is socially engineered into using a malicious endpoint.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation transmits user questions, hexagram data, and an Authorization bearer token to third-party LLM APIs, but the skill metadata does not disclose that the 六爻 interface performs remote inference. This mismatch undermines informed consent and can surprise users who reasonably expect a local-only divination UI based on the manifest description.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
In the live-send branch, `sent` is declared with `const` inside the `else` block, but later referenced outside that block when building `logEntry.results`. On successful execution this raises a `ReferenceError`, which can terminate the run after messages may already have been written, preventing reliable logging and potentially interrupting subsequent pushes. In a batch notification script, this is a real integrity/availability flaw because it can cause partial delivery with incorrect audit state.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The package metadata uses very broad trigger keywords such as '今日运势', 'daily horoscope', '占卜', and 'divination', which can match common conversational requests and cause the skill to activate outside a narrowly intended scope. Because the skill handles persuasive, personalized spiritual guidance and profile features, overbroad invocation increases the chance of unsolicited routing, unexpected collection/use of user data, and unsafe advice in contexts that should stay general-purpose.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
The description and displayName are Chinese-only and strongly locale-specific, which can cause the skill to present or route in a language the user did not request. This is primarily a safety and usability issue: users may misunderstand the skill’s purpose, consent boundaries, or disclaimers, especially given that it offers personalized fortune-telling and profile management.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file is entirely written as a Chinese-only framework and does not indicate any user-language detection, fallback, or consent mechanism. This can cause the agent to ignore a user's preferred language and produce inaccessible or misleading output, especially where users may rely on nuanced interpretation or disclaimers they cannot read clearly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script handles highly sensitive personal data from local profiles, including names and birth-derived astrological information, and then prints a marriage-compatibility judgment without prominent privacy or advisory warnings. Although there is a basic CLI ownership check, the output can still expose sensitive relationship inferences and personal profile contents to anyone with local execution access or shell history/log access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal