Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and SKILL.md consistently describe a coin-divination (金钱卦) helper that simulates or guides coin tosses and returns interpretations; no unrelated capabilities are requested.
Instruction Scope
Runtime instructions stay within the divination domain (coin toss simulation, building卦象, returning interpretations). However the SKILL.md requires the user to obtain an authorization code by contacting a WeChat account (csmm-01) — an out-of-band action that directs users to an external party and requires entering a code at first use. The instructions do not explain how the code is validated, what data is sent off-platform, or why an external contact is necessary.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk or installed by the skill itself.
Credentials
The skill declares no environment variables, no credentials, and no config paths. There is no disproportionate access requested by the skill itself.
Persistence & Privilege
No elevated persistence requested (always:false). The skill is user-invocable and can be invoked autonomously by the agent (platform default), which is expected for skills of this type.
What to consider before installing
This skill appears to be a straightforward divination helper, but exercise caution before installing because the publisher/source is unknown and the SKILL.md requires you to contact a third party on WeChat to obtain an authorization code. Before proceeding: (1) confirm why an external code is needed and how it is validated (does the agent send the code to an external server?), (2) do not share sensitive or payment information with the WeChat contact, (3) prefer skills with a verifiable homepage or reputable publisher, and (4) if you test it, avoid entering any platform credentials or secrets and consider trying it in a low-privilege or throwaway account. If the vendor can provide a privacy policy or documentation explaining the authorization flow and data handling, that would reduce risk.Like a lobster shell, security has layers — review code before you run it.
latestvk971xq78tg0f5xatqqe6fydkjh84qeg2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.