周易占卜 - ZhouYi Divin
v1.0.0基于《周易》的完整占卜系统,支持铜钱起卦 + 八字排盘 + 综合解读
⭐ 1· 110·0 current·0 all-time
byzhanghao@ahao2001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (周易占卜) match the included code: scripts/divine.py and scripts/bazi.py implement coin-casting, hexagram lookup, Bazi calculation and combined output. The skill requests no env vars or external binaries. Minor inconsistency: INSTALL.md references start.bat and gua.bat launchers that are mentioned but not present in the file manifest — nothing dangerous but slightly sloppy packaging.
Instruction Scope
SKILL.md instructs the agent/user to run the local Python scripts and explicitly claims 'pure local run, no external API calls, no sensitive file reads/writes'. The visible code (bazi.py and the shown part of divine.py) uses only stdlib modules and local data structures. There is a scanner finding of unicode control characters in SKILL.md (possible prompt-injection attempt) — SKILL.md itself is the interaction contract for the agent, so hidden characters are worth reviewing. Also verify the rest of divine.py (file truncated in the provided snippet) to confirm there are no hidden network calls or unexpected file operations.
Install Mechanism
No install spec; this is an instruction-only skill with included Python files. That is low risk — nothing is being downloaded or executed by an installer during installation.
Credentials
The skill declares no required environment variables, no credentials, and no special config paths. The code uses local time and command-line parameters only, which is proportionate for a divination/CLI utility.
Persistence & Privilege
Flags show always:false and normal autonomous invocation allowed. The package does not request permanent presence or system-wide configuration changes. The included .workbuddy/memory/MEMORY.md is a local project note and not an external credential store.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md was flagged for unicode control characters. A local divination instruction file has no need for invisible control characters; these can be used to manipulate prompt parsing or to conceal injected instructions. Review SKILL.md for hidden characters and sanitize before trusting automatic ingestion.
Assessment
This skill appears to do what it says: a local Python-based Zhouyi divination tool with no external dependencies or credential requests. Before installing or running it, do the following: 1) Open SKILL.md and the two Python files in a text editor that can show invisible characters (to inspect the unicode-control-chars the scanner flagged) and search for suspicious strings like 'http', 'socket', 'requests', 'urllib', 'subprocess', 'os.system', or any unexpected file paths. 2) Inspect the remainder of scripts/divine.py (the provided snippet was truncated) to ensure there are no network calls or unexpected file writes. 3) Run the scripts in a network-isolated sandbox (or with networking disabled) the first time to verify behavior and outputs. 4) Note the minor packaging sloppiness (INSTALL.md mentions start.bat/gua.bat that are not in the manifest) — benign but a sign to inspect the package thoroughly. If you are not comfortable doing these checks, run it only on an offline/test machine.Like a lobster shell, security has layers — review code before you run it.
latestvk971rhexd32w3ngbm0ctn41w3n83xkrh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔮 Clawdis