Back to skill
Skillv2.0.0
ClawScan security
Fortune Teller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:49 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested resources are consistent with a local, entertainment-focused fortune-teller CLI: it reads/writes a small data directory but does not request credentials or contact external endpoints.
- Guidance
- This skill appears internally consistent and implements a local, entertainment-focused CLI. It does not require API keys or network access. Notes before installing: (1) the scripts will create and write files under your data directory (default ~/.local/share/fortune-teller); if you prefer isolation, set FORTUNE_TELLER_DIR to a sandbox location. (2) The python snippet and bash scripts do not perform network calls or read secrets, but they will log entries you add (via the add command) to data.log/history.log—avoid storing sensitive data there. (3) If you want extra assurance, inspect the two scripts (scripts/fortune.sh and scripts/script.sh) yourself or run them in a restricted environment. Overall the skill is coherent with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description (fortune-telling, tarot, I Ching, daily fortunes) match the shipped scripts. The two included shell scripts implement commands (bazi, daily, zodiac, and a small CLI with add/list/search/export) and no unrelated services or credentials are requested.
- Instruction Scope
- okSKILL.md instructs running the CLI and saving stdout. The scripts operate locally and do not read arbitrary system files or environment variables beyond an optional FORTUNE_TELLER_DIR. They do create and write files under the user's data directory (~/.local/share/fortune-teller by default).
- Install Mechanism
- okNo install spec is provided (instruction-only). The skill ships small bash/python snippets only; nothing is downloaded from remote URLs or installed automatically.
- Credentials
- okNo required environment variables or credentials are declared. The only configurable variable is FORTUNE_TELLER_DIR (to change the local data directory), which is proportionate to the CLI's purpose.
- Persistence & Privilege
- notealways is false and the skill does not request elevated privileges. It does create and write local files (data.log, history.log, config.json path referenced) in a user data directory—expected for a local CLI. Be aware the agent (if allowed to invoke the skill) can run these scripts and thereby write to that directory.