Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meihua Yishu — 梅花易数占卜
v1.0.0梅花易数占卜工具,属于 fortune-telling-skills 运势测算套件。基于邵雍《梅花易数》体系, 支持时间起卦、数字起卦、文字起卦等多种起卦方式,通过体用五行生克关系判断吉凶。 起卦为确定性计算 + LLM 断卦解读,无外部 API 依赖。 触发词:梅花易数、起卦、占卜、卦象、体用、八卦占卜、帮我起...
⭐ 0· 100·1 current·1 all-time
byeamanc@eamanc-lab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (梅花易数占卜) matches the provided instructions and reference documents: all calculation and interpretation logic is self-contained and no external APIs or credentials are requested. However, the SKILL.md explicitly instructs the agent to read from and potentially write to local files (MEMORY.md in the skill directory and fortune-hub/MEMORY.md). The skill manifest lists no required config paths; that mismatch is a design inconsistency (the skill will access repository files even though no config paths were declared).
Instruction Scope
Runtime instructions require reading MEMORY.md in the current directory and optionally fortune-hub/MEMORY.md, and will write to MEMORY.md only when the user explicitly sets preferences. Reading those files can expose user-stored preferences or other content (possibly sensitive) from the workspace/repo. Otherwise the instructions stay within the stated purpose: they outline deterministic local calculations and LLM-based interpretation with no external endpoints or env-var access. Still: the explicit file I/O to repository paths is the primary scope creep to review.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute or download. That minimizes injection/execution risk from installers.
Credentials
The skill requests no environment variables, credentials, binaries, or external services — proportional to its stated purpose. The only requested resources are local repo files (MEMORY.md and fortune-hub/MEMORY.md), which are not declared in the manifest's config paths; be aware reading/writing these files may access user data not otherwise obvious from the manifest.
Persistence & Privilege
The skill does not set always:true, does not request autonomous elevated privileges, and only writes to a local MEMORY.md when the user '明确表达偏好' (explicitly asks). It does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to implement the stated divination logic locally and does not request credentials or external network access — but it will read (and may write) MEMORY.md files in the workspace and in fortune-hub/MEMORY.md if present. Before installing or enabling: 1) Inspect any existing MEMORY.md files in the skill directory and in fortune-hub/ — remove any sensitive data (secrets, PII, tokens). 2) Confirm you are comfortable with an agent reading repository files; if not, block skill access to that repo or remove/empty MEMORY.md. 3) Because the manifest didn't declare those config paths, ask the author (or maintainer) to clarify and to declare file access explicitly. 4) If you plan to let the skill write preferences, review exactly what it will store and prefer opt-in each time. If you need higher assurance, run the skill in a sandboxed environment or ask for a version that avoids reading repository files.Like a lobster shell, security has layers — review code before you run it.
latestvk971y25yn2b6ewghaw81bnya0183d65f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.