Skillv3.0.1

ClawScan security

梅花易数技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 3, 2026, 3:12 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a local, self-contained梅花易数 (Meihua Yishu) divination tool whose code and usage align with its description and it does not request credentials or install external components.
Guidance: This skill appears coherent and low-risk: it runs a local Python script that implements the described divination features and does not request credentials or install external code. Before installing or running it, review the full scripts/meihua_pan.py file (the prompt showed a truncated listing) to ensure there are no hidden network requests, unexpected file writes, or telemetry. Run the script in a sandboxed environment if you have concerns, and avoid entering highly sensitive personal data into divination inputs since outputs may be logged locally (check the code for any file write operations). If you want higher assurance, ask the author for the full source or a checksum and verify no external endpoints or credential usage appear in the remainder of the code.

Purpose & Capability: okThe name/description (梅花易数排盘与断卦) match the included script and SKILL.md: the code implements gua generation, hu/变卦, 体用 analysis, a gua-example DB and automated interpretations. There are no unrelated requirements (no cloud creds, no unrelated binaries).
Instruction Scope: noteRuntime instructions simply run the included Python script with method/date/number arguments. The SKILL.md and visible code do not direct the agent to read system-wide secrets or contact external endpoints. Note: the file listing in the prompt was truncated — the full script (size given ~37 KB) should be reviewed end-to-end to confirm there are no hidden network calls or references to unrelated file paths.
Install Mechanism: okNo install spec — this is instruction-only plus a local Python script. That is low-risk: nothing is downloaded or installed by the skill itself.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The visible code imports only stdlib modules (argparse, json, os, datetime, random) and does not require external secrets.
Persistence & Privilege: okalways is false and the skill does not request system-wide privileges. There is no evidence it modifies other skills or global agent configuration from the provided content.