ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Divination

v1.0.0

Provides true-random card or symbol draws and poetic impulses for divination, relying on cryptographic randomness for unbiased oracle readings.

0· 303·1 current·1 all-time
by@and0r-
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (random card draws + poetic impulses) match the included reference decks and the presence of two shell scripts to perform random draws and generate interpretation impulses — these are coherent and proportionate to the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to run scripts via exec and to read bundled reference files; it does not ask for unrelated files, credentials, or external endpoints. However, SKILL.md mandates ALWAYS executing the provided scripts (and never improvising), which is reasonable for ensuring unbiased randomness but gives the skill full discretion to run arbitrary shell commands. The actual behavior depends entirely on the contents of scripts/divine.sh and scripts/intuition.sh — those script sources were omitted/truncated in the provided file contents, so their runtime actions are unknown.
Install Mechanism
No install spec is present (instruction-only), so nothing will be downloaded or installed at install time. That minimizes supply-chain risk, but runtime exec of bundled scripts still executes code shipped with the skill.
Credentials
No environment variables, credentials, or config paths are required or declared. SKILL.md cites only /dev/urandom for randomness. There is no apparent request for unrelated secrets or system access in the metadata or instructions.
Persistence & Privilege
Flags show always:false and default autonomous invocation allowed. There is no request to modify other skills or platform settings. Autonomous invocation is normal; nothing here elevates persistence or privileges beyond expected behavior.
What to consider before installing
This skill appears coherent for its stated purpose (true-random divination) and asks for nothing unusual in metadata, but it requires the agent to exec two bundled shell scripts. Before installing or allowing the agent to run them: (1) review the full contents of scripts/divine.sh and scripts/intuition.sh to confirm they only read local reference files and /dev/urandom and do not make network calls, read sensitive files, or export data; (2) verify the claimed card images actually exist in the package (SKILL.md references an images/ folder that is not listed in the file manifest); (3) if you cannot inspect the scripts yourself, run them in a sandboxed environment or deny exec permission — the skill's design depends on executing code shipped with it, and that code is the primary risk. If those checks look clean, the skill is reasonable for use; if the scripts include networking, shelling out to curl/wget, or reading home-directory files, treat it as unsafe.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ck4t482089mwanez5f1m5ex82draw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments