BaZi Partner 八字搭档匹配

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do BaZi partner matching, but it can also persistently change the assistant’s future persona by writing to OpenClaw’s SOUL.md file.

Install only if you want this skill to be able to modify your OpenClaw persona file. Before allowing bazi_apply_prompt, review the exact prompt text and target path, and keep a backup or be ready to remove the marked bazi-partner section from SOUL.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to write persistent persona data into SOUL.md, which is a file-write capability, yet no permissions are declared. Undeclared write behavior weakens user consent and platform enforcement because a user may believe this is only an analysis skill, while it can also modify local state and future assistant behavior.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The declared purpose is BaZi analysis and partner matching, but the skill also persists a generated system prompt into SOUL.md and alters future assistant behavior. That mismatch is dangerous because it hides a configuration-modifying side effect behind a benign astrology workflow, increasing the chance of surprise prompt injection, unauthorized persistence, or long-lived behavior changes.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill performs a persistent configuration write to ~/.openclaw/SOUL.md, but that side effect is not reflected in the high-level capability description. Even though the code asks for confirmation in docstrings, the tool itself enforces no consent check and directly writes agent-prompt content into a file that changes future assistant behavior, which is a meaningful hidden capability.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill says it can write the partner persona into SOUL.md, but it does not clearly warn that this is a persistent local file modification that changes future assistant behavior after restart. Even with a confirmation prompt, the warning is insufficiently explicit, so users may not understand they are installing a durable system prompt rather than receiving a one-time result.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal