ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

玄空数术·六爻占卜

v1.0.1

玄空数术·六爻占卜,支持起卦占卜和问答聊天两种模式。触发关键词:妖妖、六爻、起卦、占卜、算卦、卜卦、摇卦、排卦、问卦、解卦、运势、姻缘、事业、财运、健康、出行等。当用户表达占卜意图、以"妖妖"开头提问、或发送lyk-开头的API Key时,使用此技能。

1· 85·0 current·0 all-time
by@bigbigtooth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (六爻占卜) match the actual behavior: the skill calls an external divination API, needs an API key, and returns text/images. The required artifacts (saving a user API key, calling /divine and /divine/chat endpoints) are appropriate for this purpose and no unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md explicitly instructs the agent to scan user messages for an API key pattern (lyk-...), save that key to ~/.liuyao_key, run the included Python client, download any image URLs returned, and send images via openclaw as a separate message. These steps are within the skill's operational scope, but they do grant the skill the ability to write files to the user's home (~/.liuyao_key) and to download external media — actions the user should be aware of.
Install Mechanism
There is no install spec; the skill is instruction + a small Python client (httpx). No external archives, unusual URLs, or package installs are performed by the skill itself. This is low-risk from an install-mechanism perspective.
Credentials
The skill does not request platform environment variables or unrelated credentials. It relies on a user-supplied API key (pattern lyk-...) saved to ~/.liuyao_key, which is appropriate for contacting the listed service. No extraneous secrets are requested.
Persistence & Privilege
The skill writes the user-provided API key to ~/.liuyao_key and saves images to /tmp/liuyao_images; it does not request 'always: true' or modify other skills. Persisting a user-supplied secret to a predictable local file is expected for this client but is a persistence behavior the user should consider (key stored in plaintext).
Assessment
This skill appears to do what it says, but take these precautions before installing or using it: (1) Only provide an API key if you trust the remote service (https://yao.gizzap.com). The skill will store any lyk-... key you send in plaintext at ~/.liuyao_key. (2) The skill will download images from URLs returned by that service into /tmp/liuyao_images and will send them out via the platform's messaging (openclaw), so untrusted image URLs could expose your environment to downloaded content. (3) If you later remove the skill, delete ~/.liuyao_key and any files in /tmp/liuyao_images to avoid leaving credentials or artifacts behind. (4) If you need stronger guarantees, ask the maintainer for details about the API provider, how keys are used/stored, or consider using a dedicated/revocable API key limited to this service.

Like a lobster shell, security has layers — review code before you run it.

latestvk970q30c7me5y5zpwgzr945m5x83nx4g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments