Tafu BaZi

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Tafu astrology API connector that handles birth data for its stated purpose, with privacy-handling cautions but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending birth date, birth time, gender, and city-level location to Tafu's external paid service. Avoid submitting another person's data without consent, configure TAFU_API_BASE_URL only to a trusted endpoint, and avoid leaving real payloads in fixed /tmp files after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The examples repeatedly show transmission of highly sensitive personal data—full birth date, time, gender, and location—to a paid third-party API, but provide no privacy warning, consent guidance, retention notice, or minimization advice. In this skill context, that omission is materially risky because birth data is the core input for the service and can be linked to identity, making it easy for downstream users to disclose personal or third-party data without understanding the privacy implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal