Back to skill
Skillv1.0.4
ClawScan security
Star Sign / Horoscope Inquiry - 星座运势查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:23 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent: it fetches horoscope data from JisuAPI, needs a JISU_API_KEY and python3, and its code and runtime instructions match that purpose.
- Guidance
- This skill appears to do exactly what it claims: call JisuAPI to get horoscope data. Before installing: (1) Be aware that your JISU_API_KEY will be sent to api.jisuapi.com when the skill runs — only use a key you trust to share with that service. (2) Ensure the runtime has the Python 'requests' package (pip install requests) since astro.py depends on it but the skill metadata doesn't declare or install it. (3) If you need offline or private data handling, avoid providing your real API key or confirm the provider's data/privacy policies.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the skill queries JisuAPI horoscope endpoints and only requires python3 and a JISU_API_KEY, which are appropriate for this purpose.
- Instruction Scope
- okSKILL.md and astro.py limit actions to calling JisuAPI endpoints (/astro/all and /astro/fortune) and returning the API result. Instructions require the API key and show how to call the script; they do not request unrelated files, other credentials, or unexpected external endpoints.
- Install Mechanism
- noteNo install spec (instruction-only) which is low risk. One practical inconsistency: astro.py imports the Python 'requests' package but the metadata does not declare or install this dependency — the runtime will fail unless 'requests' is present. This is an engineering oversight, not a malicious indicator.
- Credentials
- okOnly JISU_API_KEY is required and that is the legitimate API credential needed to call the JisuAPI service. There are no unrelated credentials or broad environment/config path requests.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system config, and is invoked only when the user/agent chooses it. Normal autonomous invocation is allowed but not excessive here.