☯️ 命理大师 · Fortune Master Ultimate

Name: university-applications
Author: wscats

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill is vulnerable to prompt and command

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

☯️ 命理大师 · Fortune Master Ultimate: > 全体系命理顾问——排盘、占卜、风水、运程、择时，一站式解读。

Actually does

This skill executes local Python and Node.js scripts to perform various traditional Chinese and Western fortune-telling calculations (e.g., Bazi, Ziwei, Qimen, Liuyao, Tarot, Astrology, Feng Shui). It manages user profiles and preferences in local JSON files, generates HTML reports, and can schedule local cron jobs for daily fortune pushes. It explicitly states it makes no outbound network calls.

Threat Analysis

AI Agent Traps ↗Scanned 4/15/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction4 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Namewscats/university-applications

Registryclawhub

Version1.0.4

PURLpkg:clawhub/wscats/university-applications@1.0.4

Stars9

Downloads11,880

Installs1

Source

Repository ↗

SHA-256672b16046389...

SHA-16b4c6cf53560...

MD5352f654c7f24...

TLSH0d6219594e71...

ssdeep384:QftxuG1Z...

Size14,910 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/wscats/university-applications

11,880 downloads1 installs

ClawHubDocs

openclaw skills install wscats/university-applications

Assessments (4)

AI Agent Traps ↗

Prompt Injection Detectedcriticalprompt injection

DeBERTa classifier detected prompt injection (confidence: 0.97)

97% confidence

Command Execution via Script Invocationhighcommand execution

The skill directly invokes `node` and `python3` scripts with user-provided arguments. If user input is not properly sanitized before being passed to these scripts, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system.

90% confidenceline 200

node "{baseDir}/scripts/register.js" <userId> <姓名> <性别> <出生日期> <出生时间> [地点]
python3 "{baseDir}/scripts/feixing.py" year
node "{baseDir}/scripts/liuyao.js" [010203] [问题]

Persistence Mechanism via Cron Job Managementhighpersistence

The skill has the capability to add and remove cron jobs using `openclaw cron add` and `openclaw cron delete` via IPC messages. While used for legitimate daily pushes, this mechanism could be abused to establish persistence or schedule malicious tasks if the skill's execution context is compromised.

90% confidenceline 240

openclaw cron add "0 7 * * *" "cd {baseDir} && node scripts/daily-push.js"
push-toggle.js：通过 `__OPENCLAW_CRON_ADD__` / `__OPENCLAW_CRON_RM__` IPC 消息与 OpenClaw 运行时通信，管理定时任务

Local File System Write Accessmediumdata exfiltration

The skill explicitly stores user profiles and logs in local JSON files (`data/profiles/{userId}.json`, `data/push-log.json`). While necessary for its stated function, this capability, if combined with command injection, could allow an attacker to read, modify, or exfiltrate sensitive local data.

80% confidenceline 300

data/profiles/{userId}.json   # 用户档案
data/push-log.json            # 推送日志

Supply Chain Risk from External Dependenciesinfosupply chain

The skill relies on external Node.js packages (`iztro`, `lunar-typescript`). Vulnerabilities in these third-party dependencies could be exploited, even if the skill's own code is secure.

80% confidenceline 22

install:
  - kind: node
    package: iztro

RAG Poisoning via Configurable Knowledge Base Pathmediumrag poisoning

The skill allows an optional `OPENCLAW_KNOWLEDGE_DIR` environment variable to specify a path to a ZiWei pattern knowledge base. If an attacker can control this environment variable, they could point it to a malicious knowledge base, leading to RAG poisoning and manipulation of the agent's reasoning.

80% confidenceline 25

env:
  - name: OPENCLAW_KNOWLEDGE_DIR
    required: false
    description: "Optional path to ZiWei pattern knowledge base (.md files)."

Potential for Social Engineering via Persona Manipulationlowsocial engineering

The skill is designed to output results '像真人老师' (like a real teacher) and offers various '语气风格' (tone styles). While the skill defines '硬性边界' against harmful advice, this persuasive persona could be leveraged for social engineering if the ethical guidelines are bypassed or manipulated.

70% confidenceline 178

核心原则: 像真人老师：结论清楚，过程有理路，语气稳，不空洞鸡汤。
语气风格: 老师傅直断风, 温和咨询风, 神秘玄学风, 理性顾问风, 塔罗疗愈风, 道门参悟风

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/wscats/university-applications.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/wscats/university-applications)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/wscats/university-applications"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/wscats/university-applications.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/wscats/university-applications.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow