ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lao Huangli

v1.0.0

Use when users ask for 老黄历/黄历/择日/宜忌/冲煞/干支/节气 explanations, or need a reproducible engineering workflow to compute calendar fields and derive traditional alma...

0· 179·0 current·0 all-time
bySimon@cikichen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, bundled code, and rule files all align with an almanac/黄历 calculator. The code and JSON rule files model the claimed functionality (lunar conversion, ganzhi, rulesets). The one mismatch: the declared required binaries include 'uv' in addition to python3 — 'uv' is uncommon for a calendar script and is not explained in the README, making it an unexpected runtime requirement.
Instruction Scope
SKILL.md confines runtime actions to running the included script and loading local rule files; it requires standard inputs (date/time/timezone) and emphasizes provenance. It does not instruct the agent to read unrelated system files or secrets. However the documentation contains contradictory phrasing: it both says '推荐直接运行(无需本地安装依赖)' and also shows commands to create a venv and pip-install requirements. That contradiction could lead users to run the script without necessary Python packages (causing failures) or to run opaque helper commands.
Install Mechanism
The registry entry has no formal install spec (instruction-only), but the package contains runnable Python scripts and a requirements.txt (skyfield, jplephem). SKILL.md suggests using 'uv' to make a venv and run pip install, which will pull packages from PyPI. This is typical but not declared in the registry metadata. Skyfield may also attempt to fetch ephemeris data at runtime if not bundled, implying legitimate network activity. No arbitrary remote URLs are embedded for code downloads, and rule files reference public bibliographic URLs only.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate for a local calendar/almanac computation tool.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only; it does not request persistent or cross-skill privileges. It does not declare actions that would modify other skills or system-wide settings.
What to consider before installing
This skill mostly does what its description says (local calendar calculations plus rule-driven '宜/忌'). Before installing/running: 1) Verify what the 'uv' binary is on your system (the README uses 'uv venv' and 'uv pip'); it's unusual — confirm it's a trusted tool or replace those steps with python3 -m venv / pip. 2) Expect pip installs (skyfield, jplephem) which download from PyPI; run in an isolated virtualenv or sandbox. 3) Skyfield may download JPL ephemeris or other data at runtime if not bundled — allow network only if you expect astronomy ephemeris fetches. 4) The package contains local rule files and provenance URLs (wikisource, GitHub) only — there are no hidden remote endpoints in the provided files, but you should still inspect the omitted modules (calendar_core, astronomy, rule_engine) before trusting outputs. 5) If you want minimal risk, run the included script in an offline sandbox (after installing dependencies from a vetted source) or review/modify the code to remove any unwanted network calls. If you want, I can: explain the 'uv' command further, locate the remaining omitted code for review, or produce a short checklist to run the script safely in a disposable venv.

Like a lobster shell, security has layers — review code before you run it.

latestvk97879qpyst7x9cp89tb42wy6n82vvfk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, uv

Comments