Back to skill
Skillv4.3.0
ClawScan security
PanchangaAPI — Vedic Astrology · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 2:23 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill that coherently tells an agent how to call the Moon‑Bot Vedic astrology REST API; it requests no unrelated permissions, binaries, installs, or credentials beyond an optional API key.
- Guidance
- This skill appears coherent for calling a third‑party astrology API, but before installing: 1) Confirm you trust https://api.moon-bot.cc (check HTTPS cert, ownership, and reputation). 2) Read their privacy/terms to understand data retention and sharing — birth datetime + coordinates are personal data. 3) Use an ephemeral or scoped API key if possible and avoid sending unnecessary PII. 4) Be cautious about enabling webhook subscriptions (they imply open endpoints/callbacks). 5) Test with non‑sensitive example data first, and monitor usage/requests to detect unexpected activity. If you need stronger privacy guarantees, consider self-hosting an equivalent service or using a provider with a clear data‑protection policy.
Review Dimensions
- Purpose & Capability
- okThe name/description (Vedic astrology API) matches the SKILL.md instructions: how to register, how to call endpoints (datetime, latitude, longitude), and which endpoints exist. No unrelated environment variables, binaries, or install steps are requested, so the declared requirements are proportionate to the stated purpose.
- Instruction Scope
- noteInstructions direct the agent to obtain accurate current time (system clock/time tool) and to make HTTPS requests to https://api.moon-bot.cc, which is expected for an API integration. Note: those requests will transmit personal birth data (datetime, latitude/longitude and potentially other birth details) to a third party. The SKILL.md does not direct the agent to read unrelated files, environment variables, or system secrets, but it does mention webhook subscriptions (which imply callbacks) without implementation detail — verify how webhooks would be handled if you plan to enable them.
- Install Mechanism
- okNo install spec and no code files; instruction-only skills do not write code to disk or pull external packages here, representing the lowest install risk.
- Credentials
- noteNo required env vars; an optional PANCHANGA_API_KEY is reasonable. However, the API will receive sensitive personal data (birth datetime, coordinates) — evaluate the privacy policy, data retention, and whether the optional API key provides adequate access control. Payment methods (crypto) and 'free tier' details are noted in SKILL.md; confirm billing and rate limits before use.
- Persistence & Privilege
- okalways: false and normal autonomous invocation settings (disable-model-invocation: false) are standard. The skill does not request permanent platform-level presence or modify other skills/configurations.