中国农历查询
PassAudited by ClawScan on May 6, 2026.
Overview
This skill appears to perform the advertised lunar-calendar lookups, with the main caution that it uses an external API token and sends date queries to that service.
This looks safe to use for lunar-date conversion if you trust nongli.skill.4glz.com. Before installing, be prepared to provide a HUANGLI_TOKEN, keep that token private, leave HUANGLI_BASE on the trusted default unless you know why you are changing it, and remember that queried dates will be sent to the external API.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The service token may be tied to the user's account or quota, so anyone who obtains it could use that API access.
The helper reads a bearer token from the environment and sends it in API requests. This is expected for the service, but it is still credential-bearing access.
base = os.environ.get("HUANGLI_BASE", BASE_DEFAULT).rstrip("/") ... token = os.environ.get("HUANGLI_TOKEN", "") ... headers = {"Authorization": f"Bearer {token}"}Use a dedicated/revocable token, do not paste it into chats or logs, and keep HUANGLI_BASE set only to a trusted endpoint.
The external service can see the dates or date ranges being queried, along with the API token used for authentication.
The skill discloses that lookups require outbound access to an external API host.
outbound_hosts: - api.nongli.skill.4glz.com
Install only if you trust the listed service provider, and avoid sending date queries whose meaning you consider private.