Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (滴天髓八字分析) match the instructions: the SKILL.md describes Bazi排盘、命理分析 and instructs the user to provide birth date/time. There are no unrelated binaries, env vars, or installs required.
Instruction Scope
Runtime instructions are narrow (prompt for birth datetime, return analysis). However the SKILL.md requires an authorization code obtained by contacting a WeChat account (csmm-01) but gives no detail on how the code is validated or used. This out-of-band step is atypical and could enable social-engineering or external monetization that’s not enforced/transparent in the skill text.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes install/write-to-disk risk.
Credentials
The skill requests no environment variables, credentials, or config paths (proportionate). The only external dependency is a manual request for an authorization code via WeChat; this is not a technical credential but is an out-of-band requirement that raises privacy and authenticity concerns.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request elevated persistence or system-wide configuration changes.
What to consider before installing
This skill appears to be a straightforward Bazi/命理 assistant, but it asks you to contact a WeChat account (csmm-01) to obtain an authorization code while providing no homepage, publisher info, or technical validation method. Consider the following before installing or using it:
- Treat the WeChat contact as an out-of-band ask: do not share sensitive credentials (passwords, bank info, full ID numbers). Sharing only birth date/time is likely required for the service, but be cautious if they request more personal data.
- Lack of source/homepage and no code to verify the publisher reduce trust. Prefer skills with clear publisher info or an official homepage.
- Because validation/authorization is manual, the skill could be a marketing gate (harmless) or a social-engineering vector (suspicious). If you need this functionality, ask the publisher for more details (who operates csmm-01, how the code is issued and verified, privacy policy) before providing personal data.
- If you decide to test it, avoid giving any sensitive personal identifiers beyond the birth datetime, and consider doing an initial test with non-sensitive example data.
Confidence is medium because the skill is internally coherent but the out-of-band authorization and unknown origin leave important unanswered questions.Like a lobster shell, security has layers — review code before you run it.
latestvk97dbvrd6qhnnyxr88b1yppw9x84pxfg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.