Bytesagain Fortune Teller
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a simple local fortune-game skill with no network or credential use, though its advertised commands, install story, and local logging are worth noticing.
This skill looks safe for light entertainment use. Before installing, note that the reviewed files do not clearly provide all advertised tarot/I Ching commands, the CLI packaging is not specified, and one helper script can save local history under ~/.local/share/fortune-teller unless you change or delete that directory.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent or user may expect tarot/I Ching features that are not actually provided by the reviewed scripts.
The skill advertises several fortune features, but the included fortune script only implements bazi, daily, and zodiac commands, while the other script is a generic utility. This is a capability-coherence issue, not evidence of malicious behavior.
description: "Draw tarot cards, cast I Ching hexagrams..." ... "tarot", "iching", "daily", "compatibility", "numerology", "palmistry"
Treat this as an entertainment tool and verify the available commands before relying on a specific feature.
If wired into a CLI, the skill will depend on local shell/Python execution that is not clearly declared in the registry metadata.
The artifacts include local Bash/Python helper code even though the registry lists no required binaries and no install spec. This is under-declared runtime plumbing, but the code is provided and does not show hidden downloads or remote execution.
#!/usr/bin/env bash ... python3 -c
Install only from the reviewed source, ensure the CLI maps to the reviewed scripts, and declare bash/python3 requirements in metadata if this is packaged.
User-entered text passed to the generic add/run/config-style commands may be stored locally until deleted.
The generic helper creates a persistent local data directory and records command history or added entries. This is scoped to local files and partly disclosed by SKILL.md, but users should know inputs can be retained.
DATA_DIR="${FORTUNE_TELLER_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/fortune-teller}" ... DB="$DATA_DIR/data.log" ... >> "$DATA_DIR/history.log"Avoid entering sensitive personal data, set FORTUNE_TELLER_DIR to a location you control if needed, and delete the local fortune-teller data directory to clear history.