ClawHub

运势计算 (Fortune Luck)

Security checks across malware telemetry and agentic risk

Overview

This fortune-telling skill is locally scoped and purpose-aligned, but it stores the user's birthday for reuse.

Install only if you are comfortable entering a birthday and having it saved locally for future fortune calculations. To remove the saved data, delete ~/.openclaw/fortune_birthday.json. Consider reviewing or pinning the lunar-python dependency before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill stores a user's birthday in a hidden file under the home directory, creating persistent local retention of personal data. Birth dates are sensitive personal information, and hidden persistence increases privacy risk because users may not realize data is being kept or accessible to other local processes/users depending on system permissions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad, natural-language expressions such as '帮我算运势' and '今天运势怎么样', which can plausibly appear in ordinary conversation and cause unintended activation of the skill. In an agent environment, this can lead to surprise execution, unwanted collection/use of stored birthday data, or the agent responding in a mode the user did not explicitly invoke.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases include very broad everyday expressions such as asking about luck or how today is going, which can cause unintended invocation outside a clear fortune-telling context. In an agent environment, overbroad triggers can route unrelated user requests into this skill, causing confusing behavior and potentially unnecessary collection or use of personal data like birth dates.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that birth date information will be persistently stored in a local file, but it does not clearly disclose retention, consent, deletion options, or file protection expectations. Birth dates are personal data, and silent persistence increases privacy risk through over-collection, unintended reuse, or exposure to other local processes or users on the same system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Birthday data is written to disk without any user-facing notice, consent flow, or retention explanation. This is dangerous because users may disclose personal information for a one-time calculation while the skill silently keeps it long-term, violating privacy expectations and increasing exposure if the host is shared or compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal