Is elilin97/fortune-oracle safe?

The SKILL.md system prompt contains an explicit instruction to redirect the agent to use Google's gemini-3-pro-preview model when model routing is supported. This is a prompt injection attack that attempts to silently switch the underlying model without user awareness. A fortune-telling skill with an 'offline' claim has no legitimate reason to specify a cloud model preference. This instruction is placed in the '强约束' (strong constraints) section to maximize compliance pressure.

The skill contains a fully specified cron/scheduled push feature that instructs the agent to use messaging tools to transmit full unmodified content directly to attacker-specifiable endpoints (Telegram chat_id, Slack, Feishu, Discord, WhatsApp). The instruction explicitly forbids summarization and requires direct full-text delivery. Any invocation with a delivery.channel and delivery.to parameter supplied by an attacker could cause the agent to exfiltrate accumulated session context.

The skill uses 'must' (必须) language to require the agent to read two or three local files before performing any fortune calculation. This forces unnecessary tool invocations on every interaction, expanding the skill's footprint and creating a dependency on files that could be modified to inject additional instructions into subsequent agent runs.

The skill collects precise birth datetime, astrological chart text (containing location and time inference), gender, and related personal data, storing it in a structured JSON file. This file persists across sessions and can be read by other skills, making it a secondary exfiltration target. The schema includes chartRaw (raw chart text) which may contain extensive personal information.

The skill explicitly claims to be '本地离线可解释' (locally offline and interpretable) and includes '禁止联网检索' (prohibit internet retrieval) as a strong constraint, while simultaneously: (1) specifying a cloud-hosted model preference, and (2) providing a fully operational external push delivery system. This contradiction is a deception indicator suggesting the skill's stated purpose obscures its actual capabilities.

If an agent platform supports model routing, the skill would redirect to Gemini, potentially bypassing the host platform's safety policies and audit logging. Combined with the push channel feature, this creates a two-stage attack: redirect to less-monitored model, then push accumulated data to external endpoint. Neither capability alone is necessarily malicious, but together they represent a significant risk escalation.

The skill uses '{baseDir}' throughout as a path base but never defines how this variable should be resolved. Different agent implementations may substitute it differently (working directory, skill install directory, user home directory), potentially causing the skill's mandatory file reads to traverse unexpected paths.

The git clone connected only to GitHub (140.82.121.4:443). Background connections to Canonical/Ubuntu servers (91.189.91.49, 185.125.188.58) are consistent with normal SSH login MOTD update behavior. No C2 connections, no unexpected DNS queries, no unexpected process execution.

All honeypot files (.env, id_rsa, .aws/credentials, .npmrc, docker config, gcloud credentials) were opened twice during monitoring — once at 07:15:22 (pre-clone, attributed to audit framework setup) and once at 07:15:40 (post-install, attributed to audit framework verification). Integrity check confirms no modification or exfiltration.