Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bazi Name Master
v0.1.0Use when the user wants BaZi-based baby naming, asks you to calculate a child's chart from raw birth data, already has a detailed four-pillar chart and wants...
⭐ 0· 49·0 current·0 all-time
by@billin9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the provided assets: a calculation script and naming guidance. The only required data (birth date/time, birthplace, surname, gender, candidate names) is appropriate for the stated purpose. Minor oddities: the SKILL.md repeatedly references supporting reference files and an absolute path under /Users/Bai/.agents/... while the packaged manifest only contains references/naming-principles.md and not the other referenced docs.
Instruction Scope
Runtime instructions are generally scoped to BaZi calculation, analysis, and name evaluation and insist on using the included calculate_bazi.py script. However the instructions use hardcoded absolute paths (e.g. /Users/Bai/.agents/skills/...) and reference additional reference files (source-priority.md, platform-research.md) that are not present in the package manifest — this creates a risk the agent will try to access unexpected local paths. The SKILL.md also allows online research on social platforms (Douyin, Xiaohongshu, Zhihu) which is reasonable for trend checks but expands the network attack surface and should be noted.
Install Mechanism
No install spec (instruction-only skill) and a single supporting script. The script declares a dependency on lunar-python via an in-script header (dependencies = ["lunar-python>=1.4.8,<2"]). No downloads or external install URLs are present in the skill bundle itself.
Credentials
The skill requests no environment variables, credentials, or config paths. It does require collection of personal birth data (time/place) which is necessary for BaZi calculations; this is proportionate for the stated function but is sensitive personal data and should be treated accordingly.
Persistence & Privilege
The skill does not request permanent presence (always:false). It does not modify other skills or system-wide settings in the provided files. Autonomous invocation is allowed (platform default) but not, by itself, a red flag here.
What to consider before installing
What to check before installing/using:
1) Operational inconsistencies: SKILL.md points to absolute paths under /Users/Bai/.agents/... and to extra reference files (source-priority.md, platform-research.md) that are not included in the manifest. Confirm where the skill will be installed and update those paths; verify the referenced documents exist.
2) Script review: calculate_bazi.py is self-contained, does not make network calls or read arbitrary files, and prints structured JSON. The in-script dependency on lunar-python means the runtime must have that package installed.
3) Runtime tooling: SKILL.md examples use "uv run" in shebangs — ensure your agent environment supports that command and that running arbitrary scripts with uv is acceptable.
4) Data sensitivity: the skill legitimately collects birth date/time/place and name/surname; these are personal data — only provide them if you are comfortable.
5) Source provenance: the skill has no homepage and an unknown owner ID. If you need higher assurance, ask the publisher for missing reference files, a canonical install path, or a repository link, and test the calculation script in an isolated environment before granting it broader agent access.
If these issues are resolved (corrected paths, included reference docs, and confirmation of runtime tooling), the skill appears coherent and functionally appropriate; as-is, the hardcoded paths and missing files are the main reasons for caution.Like a lobster shell, security has layers — review code before you run it.
bazivk9746aenq5wwb4m9j3pnqt5x3h844sgvcnvk9746aenq5wwb4m9j3pnqt5x3h844sgvlatestvk9746aenq5wwb4m9j3pnqt5x3h844sgvnamingvk9746aenq5wwb4m9j3pnqt5x3h844sgv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.