Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name analysis and name/company generation using Kangxi stroke counts and an 81-number table is consistent with the skill name/description. The included Python modules implement stroke lookups, five-grid math, and batch name generation — these are expected for the stated purpose.
Instruction Scope
SKILL.md and the code keep scope to name analysis/generation. The runtime instructions explicitly say the skill may auto-download the full Kangxi CSV on-demand and cache it locally; they do not instruct reading unrelated system files or exfiltrating data. Note: the skill uses an environment variable SKILL_CACHE_DIR to choose cache location (not listed in requires.env) and will write cache files under the chosen directory (default ~/.cache/name_skill).
Install Mechanism
There is no install spec, but the code performs a runtime download of the full Kangxi CSV from public CDN/GitHub raw URLs (jsdelivr / raw.githubusercontent). This is a reasonable source for its purpose, but the code does not have a configured SHA-256 checksum (_CSV_SHA256 is empty) so downloaded data is trusted without verification. The download writes a JSON cache (~3MB CSV parsed) to disk.
Credentials
The skill requests no credentials and does not require external API keys. It does read an optional SKILL_CACHE_DIR env var to change the cache path (not declared), which is reasonable for a disk cache but should be noted. No other sensitive environment variables are accessed.
Persistence & Privilege
The skill does write a local cache and may persist a downloaded CSV-derived JSON file under the cache directory, which is proportionate to the feature. It does not request always:true, does not modify other skills, and does not require elevated privileges.
Assessment
This skill is internally consistent for name analysis/generation. Before installing: be aware it may download a ~3MB Kangxi CSV from jsDelivr/GitHub at runtime and store a cache in ~/.cache/name_skill (or the path you set in SKILL_CACHE_DIR). The download URL is reasonable for the task but the code currently does not enforce a checksum, so consider one of these mitigations if you require stronger integrity guarantees: (1) set SKILL_CACHE_DIR to a directory you control and prepopulate it with a vetted kangxi_full.json, (2) modify the code to set _CSV_SHA256 to a known-good hash, or (3) review the downloaded CSV contents before first use. There are no requested credentials and no hidden network endpoints, but I observed a stray/truncated character in name_generator.py output (a lone 'd' and truncated file in the package) which suggests small bugs — you may want to run the code in a sandbox or review the full files before enabling it for unrestricted automated use.Like a lobster shell, security has layers — review code before you run it.
latest
name: 陈星任(陳星任) source: full kangxi strokes: 陳=16画 星=9画 任=6画 (康熙繁体笔画)
格 数理 吉凶 解释 天格 17 吉 排除万难,有贵人助 人格 25 吉 天时地利,名利双收 地格 15 吉 谦恭做事,外得人和 外格 7 吉 独营生意,和气吉祥 总格 31 吉 能得人望,排除万难
overall score: 89.0 / 100
## 繁简转换依赖
- `opencc-python-reimplemented`(已内置,无需手动安装)
- 静默处理无繁简差异的字(已有繁简差异的字才转换)
## 注意事项
- 复姓(欧阳、司马等)自动识别
- 生僻字自动触发 L3 下载,无需手动干预
- 罕见字确实查不到时,抛出 `ValueError` 说明哪些字缺失
Comments
Loading comments...