Fortune Telling Bazi

Security checks across malware telemetry and agentic risk

Overview

This skill is a local BaZi fortune-telling tool that stores birth-profile data for reuse, with privacy risks that are disclosed and purpose-aligned.

Install only if you are comfortable saving names, birth dates/times, gender, and derived fortune summaries locally. Avoid entering other people's data without consent, use the stop/deactivate or remove commands when finished, and avoid using it in shared chat sessions where stored profiles could be shown unexpectedly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented behavior goes beyond a simple fortune-telling interaction and includes persistent record management, active-user state, and broad context injection mechanics, while the top-level description does not adequately disclose these privacy-relevant behaviors. This mismatch is dangerous because users may consent to a lightweight conversational feature without realizing their personal data will be stored and reused across later interactions.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The documented trigger phrase "我的八字" is broad enough that normal conversation about a user's birth chart could unintentionally activate the skill. In a chat environment, accidental activation can cause unsolicited collection or use of sensitive birth data and confusing context injection into later replies.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The short trigger "算命" is highly generic and likely to appear in ordinary discussion, making unintended skill activation more probable. Because this skill stores and auto-attaches sensitive personal birth information, accidental activation has more privacy impact than a typical harmless utility skill.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: Repeating the broad activation phrase in bilingual documentation reinforces use of an ambiguous trigger without clarifying exact invocation requirements. That increases the chance of accidental activation across users and contexts, especially when the skill maintains persistent personal profile state.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger table includes the generic phrase "算命" without any constraints, examples, or opt-in flow, which makes activation collisions likely. In this skill's context, unintended invocation can lead to unnecessary prompting for birth date, time, and gender, and can cause persisted sensitive data to be surfaced unexpectedly.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Broad trigger phrases such as everyday expressions can activate the skill unintentionally, causing the agent to enter a mode that accesses stored birth data and injects personal summaries into context or replies. In this skill, accidental activation is more dangerous because the stored data is sensitive and the activation side effects include persistent-state usage and multi-person exposure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill handles highly sensitive personal data—names, birth date/time, gender, derived profile data—and persists it locally, then reuses it automatically in later conversations, yet the description does not warn users about storage or automatic context injection. This creates a meaningful privacy risk because users may provide personal or third-party data without informed consent, and that data can later be surfaced unexpectedly.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The documented `remove` command deletes stored user data but gives no warning about the permanence or impact of deletion. While this is primarily a safety and UX issue rather than a direct exploit vector, it can still lead to unintended data loss of sensitive records that users expected to retain.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill instructs the agent to save birth details and then automatically inject each active user's BaZi summary into every subsequent reply. This is dangerous because sensitive personal data becomes ambient context, increasing the chance of unnecessary disclosure, cross-topic leakage, and accidental exposure to anyone who can view or influence subsequent interactions.

Ssd 3

High

Confidence: 98% confidence
Finding: Listing all saved users and injecting all active users' summaries into context expands exposure from one person's data to potentially many people's sensitive records at once. In a multi-user skill, this significantly increases confidentiality risk because one user's request can reveal or influence access to other stored individuals' data, including third parties who may not have consented.

Ssd 3

High

Confidence: 99% confidence
Finding: Requiring all active users' summaries to be injected into context and placed at the start of replies guarantees repeated disclosure of sensitive stored information even when unrelated to the current question. This design makes the skill context more dangerous because it normalizes persistent over-sharing and increases the attack surface for prompt leakage, cross-turn disclosure, and unintended exposure in logs or downstream tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal