Lao Huangli
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a benign local Chinese almanac calculator; the main thing to notice is that it runs local Python code and may install pinned astronomy libraries.
This skill looks appropriate for cultural/calendar calculations. Before installing, be aware that it may run a local Python calculator and optionally install pinned astronomy dependencies; it should not need credentials or access to private files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may run bundled local Python code to calculate calendar results.
The skill tells the agent/user to run a local calculation command. This is code execution, but it is disclosed and central to the skill's calendar-calculation purpose.
优先使用脚本计算“可精算字段”... skills/lao-huangli/scripts/huangli 2026 3 2 12 --profile market-folk-v1 --format calendar
Use it only if you are comfortable running the bundled calculator, and keep invocations limited to the expected date/time/profile arguments.
If the user performs the optional setup, third-party Python packages may be installed into the local environment.
The optional local environment uses third-party astronomy packages. They are pinned, which reduces ambiguity, but package installation is still something users should notice.
skyfield==1.54 jplephem==2.24
Install dependencies from trusted package sources and keep the pinned versions under review if maintaining this skill.