liuyao-xueer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to be a coherent divination webpage, with the main caution that it can use a user-provided LLM API key and send the question to a configured model provider.
Before using this skill, verify the LLM endpoint, use a dedicated or revocable API key, avoid entering highly sensitive personal questions, and make sure the package includes the expected assets rather than downloading replacements from untrusted sources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is misused or entered into an untrusted endpoint, the user's model account or credits could be affected.
The skill asks the user to enter an LLM provider API key and endpoint. This is expected for the advertised OpenAI/DeepSeek/Claude-style integration, but it is still account authority that can incur usage or billing.
页面内展开「大模型配置」填入:- API Key - 接口地址(默认 OpenAI,可替换 DeepSeek 等)- 模型名称
Use a dedicated, low-privilege or revocable API key, verify the endpoint before entering it, and rotate the key if unsure.
Personal or sensitive questions typed into the page may be sent to the selected model service.
The artifact discloses that after the divination interaction, the page can call an external LLM provider for interpretation. That data flow is purpose-aligned, but it may transmit the user's question and divination result to the configured provider.
六爻摇完后自动展示卦象并调用大模型解读;支持接入 OpenAI / DeepSeek / Claude 等大模型流式解卦
Avoid entering highly sensitive questions, choose a trusted model provider, and review the provider's privacy and retention terms.
The visual interface may not work as described, and users might be tempted to obtain missing assets from untrusted sources.
SKILL.md lists additional expected image assets such as assets/maple_front.png, assets/maple_back.png, and assets/雪儿头像.jpg, but the supplied manifest only includes SKILL.md and assets/index.html. This suggests packaging incompleteness, not hidden execution.
2 file(s): SKILL.md (1496 bytes); assets/index.html (42920 bytes)
Install from a trusted package that includes all referenced assets, or verify any replacement assets before use.