ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ziwei Doushu Advisor

v0.1.0

为大模型提供命理运势分析时需要的排盘数据

0· 259·0 current·0 all-time
byAstromyst@letswinone888
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's claimed purpose (providing Ziwei Doushu charting data) aligns with the described HTTP API endpoints and use of curl. However, SKILL.md explicitly requires an API key (MYFATE_AI_API_KEY) for authentication while the registry metadata stated 'Required env vars: none' and 'Primary credential: none'. That discrepancy is incoherent: a remote API that requires an API key should declare that credential in the metadata.
!
Instruction Scope
Runtime instructions are concrete (POSTs to https://skill.myfate.ai/api/skills/TOOL_NAME with api-key in headers) and include reasonable parameter rules and error handling. But the doc also instructs the agent to '直接读取当前上下文记忆中的参数' (directly read current context memory) and to automatically reissue requests after a user completes payment without asking for the birth data again. Automatically reusing stored personal birth/time data is a privacy-sensitive behavior that expands the agent's scope beyond a single on-demand request and should be explicit in metadata/consent flows.
Install Mechanism
This is an instruction-only skill with no install spec or code files; required binary is curl. That is the lowest-risk install profile and is proportionate for a skill that issues HTTP requests.
!
Credentials
SKILL.md requires an API key passed as MYFATE_AI_API_KEY (x-api-key or Authorization header), which is necessary for the stated purpose. However, the skill's registry metadata did not declare this required environment variable or primary credential. The missing declaration is a meaningful inconsistency: the skill will not function without that secret and users need to know what to supply and how the secret will be stored/used.
Persistence & Privilege
The skill is not always-on (always: false) and uses normal autonomous invocation. The only persistence-like behavior is the instruction to reuse context memory for resuming requests after payment; this is a functional convenience but also a privacy consideration (retaining/using PII without re-confirmation). This should be documented and consented to by users.
What to consider before installing
Before installing, verify the publisher and fix the metadata mismatch: SKILL.md requires an API key named MYFATE_AI_API_KEY but the registry lists no required env vars — ask the publisher to declare this credential in the skill metadata. Understand that the skill will ask the agent to store and later reuse users' birth date/time (sensitive personal data) to automatically resume requests after payment; confirm you are comfortable with that memory usage and how secrets are stored. Ensure the endpoint (https://skill.myfate.ai) is legitimate, store the API key in the agent's secure secrets store (not in plain text), and test with a non-production key first. If you need stronger privacy controls, request an explicit opt-in/opt-out for automatic reuse of stored birth data or insist the skill re-confirm PII before resuming requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kpbd2frggv50ervdbbybzh82p09g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌤️ Clawdis
Binscurl

Comments