ClawHub

Liuyao En

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk Liuyao divination helper that uses local reference text and a simple random coin-toss Python script.

Install only if you want a reflective divination aid. Treat readings as entertainment or personal reflection, not as professional advice for health, finances, legal matters, or major life decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The phrase "Just tell me: 'I want to consult Liuyao about [your question]'" is a broad natural-language activation pattern that can be matched during ordinary conversation, especially when users discuss divination casually rather than intentionally invoking a skill. In a multi-skill or agentic environment, this can cause unintended activation, leading the assistant to enter divination mode without clear consent or scope boundaries.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The repeated instruction "Simply say: 'I want to consult Liuyao about [your question]'" reinforces a generic invocation pattern but still does not define trigger limits, confirmation requirements, or examples of similar text that should not activate the skill. This increases the chance of accidental routing or ambiguous activation in normal dialogue, particularly if users paraphrase or quote the phrase.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase inviting users to say 'I want to consult Liuyao about [your question]' is a broad natural-language trigger that could cause the skill to activate on loosely matching user text without clear scoping or confirmation. In a low-risk divination skill this is not directly dangerous, but it can still lead to unintended invocation, confused routing, or accidental processing of sensitive personal questions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The repeated instruction to invoke the skill with a generic natural-language phrase reinforces broad activation behavior without limiting context, intent, or input boundaries. This increases the chance of accidental triggering or overlap with normal conversation, though the skill's content remains low sensitivity and does not request privileged actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal