ClawHub

小六壬即时算

Security checks across malware telemetry and agentic risk

Overview

This is a local Xiao Liu Ren divination helper with no evidence of hidden access, persistence, credential use, or data exfiltration.

Install this only if you want a Chinese Xiao Liu Ren casting assistant. It may trigger on broad divination phrasing and defaults to Chinese output; treat results as reflective or entertainment guidance, not medical, legal, financial, or life-critical advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions are overly broad: terms like '占卜' and '起卦' can overlap with other divination systems, general fortune-telling, or ambiguous user intent. This can cause the agent to invoke this skill in unintended contexts, leading to incorrect tool routing, misleading outputs, and reduced user trust, especially because the skill is instructed to auto-proceed using current Beijing time when the user does not specify a method.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation without any activation constraints, so the agent may route ordinary conversation into a divination workflow even when the user did not clearly request it. In a fortune-telling skill, this increases the chance of unsolicited mystical or deterministic advice being injected into unrelated contexts, which can mislead users and bypass normal expectation-setting.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The default prompt hard-codes Chinese output and usage, which can cause the skill to respond in a language the user did not request or understand. This is primarily a safety and usability issue: forced language output can obscure disclaimers, limitations, or consent cues, making accidental invocation more confusing in combination with implicit routing.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal