ClawHub

运势晴雨表**是一款创意运势分析技能,采用天气预报的形式呈现周运势。它将抽象的星座运势转化为直观、可操作的结构化报告,帮助用户快速了解本周的运势变化及建议。

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk Chinese horoscope guide that asks for zodiac or birth-date details but does not install code, request credentials, or persist data.

Install only if you are comfortable using a Chinese-language entertainment horoscope skill. Avoid entering another person’s birth date or birth time without consent, and do not rely on the output for financial, medical, legal, or other serious decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill explicitly limits output to simplified Chinese only, without indicating any fallback to the user's preferred language. This can cause the agent to ignore user language needs and degrade usability, potentially leading to misunderstanding of disclaimers, advice, or limitations. In this horoscope context it is not a direct security exploit, but it is still a real quality/safety issue because it forces behavior that may conflict with user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions treat generic birth-date phrases such as '我出生于...' or '我的生日是...' as sufficient activation signals, even without a horoscope request. This can cause the skill to activate on ordinary personal-information conversations, leading to irrelevant responses and unnecessary processing of sensitive birth-date data in contexts where the user did not ask for fortune analysis. In a skill centered on astrology, this broad matching makes accidental invocation more likely and therefore increases privacy and misrouting risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal