ClawHub

Bazi Chart - 八字排盘

Security checks across malware telemetry and agentic risk

Overview

No suspicious behavior is evident; the skill does what it says, but it uses your Jisu API key and sends the birth-chart details you provide to JisuAPI.

This appears safe for its stated purpose. Before installing, be comfortable with sharing the entered birth-chart details with JisuAPI and with the skill using your JISU_API_KEY; consider using a dedicated/rotatable API key and avoiding a real name if it is not needed.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

You have less independent source information to judge the publisher before trusting the skill with an API key.

Why it was flagged

The artifact set does not provide an upstream source or homepage for provenance checking, although the included code is small and no remote install mechanism is shown.

Skill content
Source: unknown
Homepage: none
Recommendation

Review the included code and only install if you trust the ClawHub publisher/artifact; consider using a scoped or easily rotated JisuAPI key.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The skill can use your JisuAPI account permissions and quota for the bazi API call.

Why it was flagged

The skill reads a JisuAPI credential from the environment and uses it as the appkey for the API request. This is expected for the stated API integration and is disclosed.

Skill content
appkey = os.getenv("JISU_API_KEY") ... data = {"appkey": appkey, ...}
Recommendation

Use a key intended for this API, monitor usage/quota, and rotate the key if you stop using the skill or suspect exposure.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Personal birth-chart inputs you provide are shared with JisuAPI to compute the result.

Why it was flagged

The code sends the user-provided name, city, birth date/time, sex, and API key to the documented third-party endpoint. This is purpose-aligned and disclosed, but it is still an external data flow involving personal details.

Skill content
PAIPAN_URL = "https://api.jisuapi.com/bazi/paipan" ... "name": name, "city": city, "year": year, "month": month, "day": day, "hour": hour, "minute": minute, "sex": sex ... requests.get(PAIPAN_URL, params=data, timeout=15)
Recommendation

Only provide information you are comfortable sharing with the provider; use a nickname or blank/non-identifying name if possible, and review JisuAPI’s privacy terms if this matters to you.