随便算算-八字命理助手
ReviewAudited by ClawScan on May 14, 2026.
Overview
The skill mostly matches its astrology purpose, but it should be reviewed because it can use local/model API credentials and includes an unsafe shell-based helper script.
Install only if you are comfortable with this skill using your configured OpenClaw/OpenAI-compatible model credentials and sending birth details/questions to that provider. Avoid running convert.py, or remove/fix it first, because it contains an unsafe shell command pattern.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use an existing local LLM provider API key and account configuration to make model calls for astrology responses.
The skill can read a local OpenClaw account/model configuration file and API keys, even though the registry requirements list no env vars and no primary credential.
path = os.path.expanduser("~/.openclaw/openclaw.json") ... api_key = (provider.get("apiKey") or os.getenv("OPENCLAW_API_KEY") or os.getenv("OPENAI_API_KEY"))Declare the credential and local config access in metadata and documentation, and give users a clear opt-in path for which API key, base URL, and model will be used.
If this helper script is run with untrusted input, it could execute unintended local shell commands.
A bundled helper concatenates user-supplied CLI arguments into a shell command with shell=True. It is not the documented SKILL.md entrypoint, but if invoked it can allow shell injection.
parser.add_argument('gans' ...); parser.add_argument('zhis' ...); print(subprocess.check_output("python bazi.py -b " + result, shell=True).decode('gbk'))Remove the unused helper or rewrite it to use subprocess arguments with shell=False and strict validation of gan/zhi characters.
Birth date/time, gender, and questions may be included in prompts sent to the configured model provider.
The skill is designed to process birth details and questions through an OpenAI/OpenClaw-compatible model provider. This is purpose-aligned, but it is a data boundary users should notice.
输入出生信息和问题,返回适合用户阅读的中文分析。 ... 使用 OpenClaw / OpenAI SDK 兼容的大模型接口。
Use a trusted provider, avoid entering information you do not want sent to that provider, and document what data is included in LLM prompts.
Future dependency versions could change behavior or introduce vulnerabilities.
The README instructs pip installation from requirements.txt, and several dependencies are unpinned or only lower-bounded. This is common but leaves dependency versions open.
openai>=2.0.0 python-dotenv>=1.0.0 bidict lunar-python
Pin dependency versions, preferably with hashes or a lockfile, and keep them updated intentionally.
Users may over-trust generated astrology advice, especially for money, work, health, or relationship questions.
The model prompt emphasizes persuasive explanation and hiding the internal prompt basis. In an astrology skill this is stylistic, but it can make generated advice seem more authoritative than it is.
解释得好,解释的让人信服,比算得准更重要。 ... 不要明说“根据您提供的八字信息”之类的话 ... 不要让人明显看出你的prompt里带上了八字大运流年等信息。
Add clear user-facing framing that outputs are interpretive/entertainment-oriented and should not replace professional advice.