Back to skill

Security audit

Daily Horoscope Creator

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed horoscope image generator, but users should know some displayed scores are adjusted rather than purely API-provided.

Install only if you are comfortable providing your own TianAPI key and treating the generated horoscope scores as presentation-adjusted entertainment content. You may need to create the missing config.json structure yourself, and you should keep that file out of version control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script explicitly states it stops execution to ensure 'data authenticity', but then calls normalize_scores() to overwrite API-derived horoscope scores with randomized values while preserving only relative ranking. This is a data integrity issue because generated outputs are presented as sourced from the API even though key numeric values are fabricated, which can mislead users and downstream publishers relying on the content as authentic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.