ClawHub

汲取百家所长的最强算命大师 - Zhouyi - Yijing - Zhanbu - Bagua - Xuanxue -Shushu - Witch - Fortune Teller _占卜_周易_易经_八卦_玄学_术数

Security checks across malware telemetry and agentic risk

Overview

This is a local Zhouyi/I Ching divination skill with a purpose-aligned recent-reading history, but users should know questions are saved in browser storage.

Before installing, assume questions entered in the web UI may remain in that browser's local storage until cleared. Avoid entering highly sensitive health, financial, legal, or relationship details on shared devices, and use the clear-records control when done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill stores users' questions and divination readings in localStorage without any clear disclosure, consent, or retention controls beyond a hardcoded cap. Divination questions can contain sensitive relationship, health, work, or financial information, and any script running in the same origin can read localStorage, making this a privacy and data-minimization issue.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Question history is silently persisted to localStorage, creating a privacy risk because users may reasonably assume sensitive spiritual, emotional, health, or financial prompts are ephemeral. In a browser environment, localStorage is accessible to other scripts on the same origin and remains until cleared, increasing the chance of unintended disclosure on shared devices or through unrelated XSS elsewhere on the site.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal