GuanXing 观星

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent instruction-only fortune/metaphysics skill, but it sends personal details to an external GuanXing API and requires an API key.

Before installing, decide whether you are comfortable sending names, birth dates, birth hours, dreams, compatibility details, and personal questions to heartai.zeabur.app. Keep GUANXING_API_KEY secret, and ask the agent to confirm before sending especially sensitive information.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

If used carelessly, personal questions or malformed input could be sent through a shell/API command in a way the user did not intend.

Why it was flagged

The skill documents shell-based curl calls with user-provided values in request bodies. This is purpose-aligned, but user text should be encoded safely and sent only for the requested reading.

Skill content

curl -s -X POST https://heartai.zeabur.app/api/v1/qiuqian ... -d '{"category": "CATEGORY", "question": "USER_QUESTION"}'

Recommendation

Use the API only for explicit user requests, encode JSON values safely, and avoid pasting highly sensitive details unless necessary.

#ASI03: Identity and Privilege Abuse

Low

What this means

Anyone with the API key could make requests to the GuanXing service under the user's account or app.

Why it was flagged

The skill requires a GuanXing API credential and uses it as a Bearer token for requests. This is expected for the service integration, with no artifact evidence of unrelated credential use.

Skill content

requires:
      env: ["GUANXING_API_KEY"] ... Authorization: Bearer $GUANXING_API_KEY

Recommendation

Store the API key securely, do not share it in chat, and rotate it if it may have been exposed.

#ASI07: Insecure Inter-Agent Communication

Medium

What this means

Names, birth dates, birth hours, personal questions, dream descriptions, or compatibility details may leave the local agent and be processed by the GuanXing service.

Why it was flagged

The skill clearly discloses that user-provided personal data is transmitted to an external provider for processing.

Skill content

All data is sent to the GuanXing API at `heartai.zeabur.app` over HTTPS. ... The API processes birth dates and names to generate fortune readings.

Recommendation

Install and use the skill only if you trust heartai.zeabur.app with the specific personal details you submit.