Skillv1.0.0

ClawScan security

celestchart-astrology-skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 4:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested environment variables are consistent with its stated purpose (calling a CelestChart API with birth data to produce daily astrology output).
Guidance: This skill appears to do what it says: it posts your birth data and API key to the CelestChart service and returns JSON for the agent to format. Before installing, verify you trust the endpoint (https://xp.broad-intelli.com) and that your CELESTCHART_API_KEY is legitimate. Be aware you are providing personal data (birth date/time and location), which is sensitive; only use this with services you trust and avoid reusing the same API key for other untrusted tools. If you want exact metadata alignment, add CELESTCHART_API_URL to the declared env list (it is optional in the script).

Purpose & Capability: okName/description ask for personal daily astrology via CelestChart and the skill only requires curl plus an API key and detailed birth data — all of which are necessary and expected for generating personalized astrological forecasts.
Instruction Scope: noteSKILL.md and run.sh focus solely on calling the CelestChart endpoint and formatting results. Minor inconsistency: run.sh accepts an optional CELESTCHART_API_URL env var (to override the base URL) but that optional var is not listed in the declared requires.env — behavior is benign but slightly out-of-sync with metadata.
Install Mechanism: okNo install spec is provided (instruction-only with a small run.sh). The script only uses curl and does not download or execute unfamiliar artifacts, so installation risk is low.
Credentials: okRequested environment variables are the API key and detailed birth information (year/month/day/hour/minute/longitude/latitude/timezone). These are appropriate and proportionate to producing a personalized astrology forecast; no unrelated credentials or secret variables are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent elevated presence or attempt to modify other skills or system-wide settings.