Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Zodiac Horoscope
v1.3.0Fetch personalized daily horoscope forecasts from zodiac-today.com API based on natal chart calculations. Use when a user wants: (1) daily guidance on what a...
⭐ 0· 691·1 current·1 all-time
by@dowands
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (fetch personalized horoscopes from zodiac-today.com) legitimately requires an API key and a profile ID and may require user birth data — so the runtime requirements in SKILL.md are coherent with the purpose. However, the registry metadata lists no required environment variables or primary credential while SKILL.md explicitly requires ZODIAC_API_KEY and ZODIAC_PROFILE_ID; that registry/manifest mismatch is an integrity concern.
Instruction Scope
The SKILL.md instructs the agent to collect sensitive PII (email, birth date, birth city) and explicitly says it may automatically retrieve the verification code 'if the agent has email access (e.g., IMAP)'. That broadens scope to mailbox access (not declared elsewhere) and instructs writing a session cookie file (cookies.txt). Although the doc asks for user consent and to delete cookies.txt, it still directs behaviors (email/IMAP access, temporary cookie storage) that go beyond simple API calls and may require additional privileges the registry doesn't declare.
Install Mechanism
This is instruction-only with no install spec and no code files — minimal install surface and nothing is written to disk by an installer. The only file operation noted is a temporary cookies.txt created by curl in the documented workflow; that is explicitly described and meant to be deleted.
Credentials
SKILL.md requires two environment values (ZODIAC_API_KEY and ZODIAC_PROFILE_ID) which are proportional to the API integration. But the registry metadata lists none — a mismatch that could hide required secrets. The skill also requires collection of sensitive PII for natal chart calculations; collecting this data is explainable for the feature but increases privacy risk and requires explicit consent and secure handling. The instructions also mention session cookies and possible automated email access, which implies access to credentials or mailboxes not declared in manifest.
Persistence & Privilege
The skill is not forced-always and is user-invocable; autonomous model invocation remains permitted (the default). The main privilege concern is the instruction to access the user's email (IMAP) to retrieve verification codes — combined with autonomous invocation this could increase blast radius. There is no install-time persistence or system-level privilege escalation requested in the files provided.
What to consider before installing
Before installing: (1) note the manifest mismatch — SKILL.md requires ZODIAC_API_KEY and ZODIAC_PROFILE_ID but the registry metadata doesn't declare them; ask the publisher to correct the metadata. (2) This skill will ask for sensitive PII (email, birth date, birth city) — only collect with explicit consent and store/delete data securely. (3) The runtime doc suggests the agent can automatically read verification emails via IMAP; avoid granting mailbox/IMAP access unless you trust the skill and operator — prefer a manual code-entry workflow. (4) Keep the API key and profile ID in a dedicated, least-privilege environment (or ephemeral secrets), and delete temporary cookie files as instructed. (5) Because this is instruction-only, there was no code to scan; that reduces evidence about hidden behavior — if you need higher assurance, request a signed author/source and a manifest update listing the required env vars and exact scopes (email access, cookie storage).Like a lobster shell, security has layers — review code before you run it.
latestvk97d0wn6c4aw9h9w1xy4cc386h8162t6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.