ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vedic Horoscope

v1.0.0

Generates personalized Vedic horoscopes and birth charts based on birth data and astrological calculations.

0· 32·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Vedic horoscope generator) match the provided OpenAPI spec and SKILL.md. The endpoints and request fields are appropriate for generating horoscopes. Minor note: the SKILL.md describes a hosted backend/service (api.mkkpro.com) but the skill bundle contains no code or credentials — it appears to be an instruction-only integration that calls a third-party API, which is plausible but should be expected.
!
Instruction Scope
The instructions require submitting detailed personal data (full name, parents' names, DOB/time/place, mobile) to an external API (api.mkkpro.com / api.mkkpro.com:8159). That is coherent with horoscope generation but is a privacy concern: the skill will send personally identifiable information (PII) to a third party. SKILL.md does not document privacy, retention, or consent. The instructions do not attempt to read local files or other unrelated environment variables (good), but they do direct data off-agent to an external service of unknown trustworthiness.
Install Mechanism
No install spec and no code files—this is instruction-only. That minimizes on-disk risk; nothing is downloaded or executed by the install process.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However, the OpenAPI and SKILL.md reference a hosted API that in other contexts might require an API key; the bundle provides no information about authentication or rate-limiting, and the service owner/homepage is unclear. Absence of declared credentials reduces attack surface but also leaves provenance and trust unclear.
Persistence & Privilege
always is false and the skill requires no persistent agent modifications or system-level privileges. Autonomous invocation is allowed (platform default) but not combined with additional privileges.
What to consider before installing
This skill appears to call a third‑party API (api.mkkpro.com) to generate horoscopes and will send sensitive personal data (names, birth date/time/place, mobile). Before installing, consider: 1) Do you trust the external service and its privacy/retention practices? Ask the publisher for a privacy policy and endpoint ownership details. 2) Test with dummy/non-sensitive data first. 3) Avoid sending real mobile numbers or other PII until you verify the service. 4) If you require on‑premise or privacy-preserving generation, prefer a skill that runs locally or documents data handling and authentication. 5) If you plan production use, request formal API credentials, SLA, and security documentation from the publisher.

Like a lobster shell, security has layers — review code before you run it.

latestvk9713fb1yzxn9kz1zmpxgam11d83yn36

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments