Skillv1.0.1

ClawScan security

钦天监 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 8, 2026, 1:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only advisory tool about historical/astrological economic cycles that requests no credentials, installs nothing, and its runtime instructions are coherent with its stated purpose.
Guidance: This skill is instruction-only and consistent with its advertised purpose: cycle interpretation and an index (QCX) that pulls public BTC sentiment and uses historical/astrological rules. It does not request credentials or install software, so the direct security risk from hidden code is low. Things to consider before installing: (1) the skill may fetch data from the internet (e.g., Alternative.me and qintianjian.fun) — if you want to limit exfiltration, restrict agent network access or audit outbound requests; (2) the content is based on historical/astrological methods, not standard econometric models — treat investment recommendations cautiously and do not use as sole financial advice; (3) the README references a DApp and an on-chain address — do not connect wallets or sign transactions without verifying the project's trustworthiness. If you want higher assurance, ask the publisher for a complete, non-truncated SKILL.md and any concrete API endpoints the skill will call so you can review exactly what external sites will be contacted.

Purpose & Capability: okName/description (钦天监，周期与木星/三元九运/康波等关联) match the SKILL.md content. The skill's claims (QCX index, BTC sentiment, cycle reports, website/DApp links) are consistent with the included instructions and resources. There are no unrelated requested binaries, env vars, or config paths.
Instruction Scope: noteSKILL.md stays within the stated domain: historical/astrological cycle interpretation and a computed QCX index. It references automatic BTC sentiment (Alternative.me) and external resources (qintianjian.fun, DApp, an Ethereum address). The doc is somewhat operationally vague about how to fetch external data (no explicit API keys required), so the agent will need network access to retrieve BTC sentiment or website content.
Install Mechanism: okNo install spec and no code files—this is instruction-only, so nothing is written to disk or downloaded by the skill itself.
Credentials: okNo required environment variables, credentials, or config paths are declared. The presence of a public CA (0x...) and DApp/website links are informational and not requests for secrets.
Persistence & Privilege: okalways:false (default) and model invocation is allowed (normal). The skill does not request permanent system presence or elevated privileges and does not modify other skills' configurations.