Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
龙虾命理学习
v1.0.0龙虾角色,专业学习周易与传统命理知识。每日19:00定时推送一个知识点,以严谨、学术化、非迷信的方式解读传统文化。
⭐ 0· 66·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose is to push a daily knowledge item at 19:00 and even mentions automatic cron-based pushes to 企业微信 in the learning log, but the package declares no install steps, no required binaries, and no credentials or config paths for messaging (e.g., enterprise WeChat webhook, API credentials, or scheduling). A push-capable skill would normally declare the endpoint and required secrets; their absence is a meaningful mismatch.
Instruction Scope
The SKILL.md content is otherwise narrowly scoped to content and tone rules, references local files for content, and forbids prediction/fortune-telling. However it also instructs a daily push behavior without specifying how to authenticate or where to send messages. The references/learning-log.md explicitly states a cron pushes to 企业微信, which is an instruction to transmit data externally but no mechanism or credentials are provided.
Install Mechanism
This is an instruction-only skill with no install spec and no code files that would be downloaded or executed. That minimizes installation risk; there is nothing on-disk beyond the included markdown files.
Credentials
No environment variables or credentials are declared, yet the skill's behavior implies it will send messages externally (enterprise WeChat). If message delivery is required, credentials (webhook URL or corp/agent secret) would be necessary; their omission is inconsistent and may lead the agent to request credentials at runtime or to attempt other delivery methods. This is disproportionate to what is declared.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and leaves autonomous invocation at the platform default. There is no evidence it requests elevated system presence or cross-skill configuration changes.
What to consider before installing
Before installing, ask the skill author to clarify the delivery and scheduling mechanism: how will the daily 19:00 push be performed? Which endpoint (enterprise WeChat webhook/API) will be used, and what exact environment variables or secrets are required? If the skill needs credentials, prefer a dedicated, limited-scope account or a single-purpose webhook rather than full corporate secrets. Because this package is instruction-only, it currently cannot perform pushes by itself — verify whether the platform will handle scheduling or whether a future version will add code that requests credentials. Do not supply high-privilege tokens until the transport and storage of those credentials are documented and reviewed. Finally, monitor future updates for added install scripts or code that implement the push functionality — those changes would materially affect the risk profile.Like a lobster shell, security has layers — review code before you run it.
latestvk973g46sdsmjkvdwqsghaq397983yx45traditional-culturevk973g46sdsmjkvdwqsghaq397983yx45yijingvk973g46sdsmjkvdwqsghaq397983yx45zhouguavk973g46sdsmjkvdwqsghaq397983yx45
License
MIT-0
Free to use, modify, and redistribute. No attribution required.