ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

凡心八字在线排盘,导出AI指令

v1.0.2

计算八字以及大运流年信息,需要性别、ISO 8601 格式的时间两个参数

0· 399·2 current·2 all-time
by@ahaofan
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and paipan.py all align: the tool collects name/gender/birthday and POSTs them to api.bagezi.top to compute 八字. There are no unrelated credentials, binaries, or config paths requested.
!
Instruction Scope
The runtime sends PII (name, gender, birthday) to an external endpoint (http://api.bagezi.top/api/paipan). The SKILL.md exposes that endpoint. The code uses plain HTTP (no HTTPS), meaning data is sent unencrypted in transit — a privacy/transport-security risk. The instructions do not access other system files or env vars, but they do direct personal data off-host.
Install Mechanism
No install spec is provided (instruction-only), so nothing is written to disk by an installer. However, paipan.py depends on the Python 'requests' package but the skill does not declare or install this dependency, which may cause runtime failures; there are no high-risk downloads or archive extractions.
Credentials
The skill requests no environment variables, credentials, or config paths — that is proportionate. The primary risk is that it transmits user-supplied personal data to a third-party service without requiring explicit auth from the user.
Persistence & Privilege
The skill is not forced-always nor trying to persist or modify other skill/system configs. It is user-invocable and can be invoked autonomously (platform default), which is expected and not by itself a red flag.
What to consider before installing
This skill appears to do what it says, but exercise caution before using it with real personal data. It POSTs name/gender/date-of-birth to http://api.bagezi.top (note: plain HTTP, not HTTPS), so unencrypted interception is possible and the recipient is an unknown third party. Before installing or running: (1) avoid sending sensitive/real PII unless you trust the service; (2) prefer an HTTPS endpoint — contact the author or verify api.bagezi.top supports TLS; (3) run the script in an isolated environment (virtualenv/container) and ensure the 'requests' package is installed from a trusted source; (4) inspect network traffic (e.g., with a proxy) if you need to confirm where data goes; (5) if privacy is a concern, seek a local/offline implementation or a reputable provider with a privacy policy. If you need higher assurance, request the maintainer provide HTTPS endpoints and a declared install spec or host the code on a verifiable repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ej0t9btvkhp4x6yds61mvcx84st46
399downloads
0stars
3versions
Updated 6h ago
v1.0.2
MIT-0
@ahaofan
latest
Download

凡心八字官网: http://bagezi.top/

联系邮箱: 252468400@qq.com

使用方法

确保 Python 环境使用 UTF-8 编码后运行脚本。

只提供必填参数(name 使用默认值"张三")

python paipan.py -g "男" -b "1997-01-12T23:07:19.083Z"

提供所有参数

python paipan.py -n "李四" -g "女" -b "1990-05-20T10:00:00.000Z"

使用长选项

python paipan.py --gender "男" --birthday_str "1985-08-15T00:00:00.000Z"

参数说明

参数短选项是否必填默认值说明
--name-n张三姓名
--gender-g-性别(男/女)
--birthday_str-b-出生日期,ISO 8601 格式

API 端点

  • 最新端点: http://api.bagezi.top/api/paipan

Comments

Loading comments...