ClawHub

GuanXing 观星

v1.0.0

Chinese metaphysics AI — BaZi (八字), daily fortune, crypto fortune, Feng Shui, Tarot, I-Ching divination, dream interpretation, name scoring, compatibility ma...

0· 157·0 current·0 all-time
by@doggychip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The requested environment variable (GUANXING_API_KEY) and the documented network endpoints match the declared purpose (Chinese metaphysics API calls). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to POST user-supplied personal data (birth dates, names, questions, dreams) to heartai.zeabur.app — this is coherent for the stated functionality but is an explicit outbound data flow of potentially sensitive personal information. The instructions do not direct reading local files or other env vars.
Install Mechanism
No install spec or code is included (instruction-only), so nothing is written to disk by the skill itself. Lower risk from installation; optional external packages referenced in README are informational only.
Credentials
Only a single API key (GUANXING_API_KEY) is required, which is proportionate. That key grants the skill the ability to call the external API; treat it as sensitive and do not reuse high-privilege secrets. README claims third-party packages/repos but those are optional and not required by the SKILL.md instructions.
Persistence & Privilege
always is false and the skill does not request system-wide or cross-skill configuration changes. Autonomous invocation by the agent is allowed by default (normal for skills); no excessive persistence or privileges are requested.
Assessment
This skill looks coherent: it needs a single API key and will send whatever the user provides (birth date, name, dreams, crypto tokens) to the GuanXing service (heartai.zeabur.app). Before installing, confirm you trust that external service (verify the domain, review the linked GitHub/npm packages if you need more confidence), avoid sending highly sensitive personal data you don't want shared, store the API key separately (not in shared repos), and be prepared to revoke the key if you see unexpected requests. If you don't want the agent to call this API automatically, disable the skill or remove it from your agent's active skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk976p0t7nya4mdesw2b805vfpx835vdn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔮 Clawdis
EnvGUANXING_API_KEY
Primary envGUANXING_API_KEY

Comments