ClawHub

I Ching Fortune Telling 易经算命

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only fortune-telling skill, but it asks for highly sensitive birth, photo, and home-layout information without enough privacy safeguards.

Install only if you are comfortable with a fortune-telling skill that may ask for sensitive personal details. Prefer lower-data methods such as I Ching, Tarot, or Runes; avoid sharing exact addresses, floor plans, face photos, hand photos, full legal names, or exact birth details unless truly necessary. Treat outputs as entertainment or spiritual guidance, not professional advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill description is broad enough to activate on generic requests about destiny, decisions, career, or love, which overlap with ordinary advice-seeking conversations. This can cause the agent to steer users into a divination workflow unexpectedly, increasing the chance of inappropriate guidance in sensitive personal contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requests sensitive personal data such as birth date/time/place, full name, and palm photos, but does not provide a warning, consent step, or data-minimization guidance. In a divination context, users may disclose highly personal information without understanding privacy implications or whether the data is necessary and how it will be handled.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The instruction to send an HTML file introduces generated-file handling risk without any safety constraints on embedding user-provided content. If user questions or names are inserted into the HTML report without escaping, this could enable markup/script injection or unsafe rendering in downstream clients.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill solicits highly sensitive personal data for Ba Zi and Zi Wei analysis, including exact birth date/time, location, and gender, without any privacy notice, minimization guidance, or handling restrictions. In an agent context, this can expose users to profiling, identity correlation, and unnecessary collection of personal data beyond what many users would realize they are disclosing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Requesting clear hand photos for palmistry creates biometric and privacy risk because images of a user's hands may contain identifying features and sensitive incidental metadata. The file presents this as routine input without warning users about image privacy, consent, retention, or safer alternatives.

Missing User Warnings

High
Confidence
99% confidence
Finding
Requesting clear frontal face photos for physiognomy is especially sensitive because facial images are strong biometric identifiers and can be reused for recognition, impersonation, or profiling. In this skill, the request is made without any warning, consent language, or safeguards, making the collection significantly riskier than ordinary user input.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Feng Shui section requests address or floor-plan data plus resident birth dates, which together can reveal a household's identity, layout, and occupant information. In an interactive agent skill, this combination materially increases privacy and household-security risk, especially if users are not warned that such data could expose where they live and details about their home.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal