Skillv1.1.0

ClawScan security

Meihua Yijing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 6, 2026, 9:08 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a local Meihua Yijing divination script and the declared requirements match the code we can see, but the included Python file was truncated in the provided bundle so I cannot fully confirm there is no hidden network or sensitive activity.
Guidance: The visible files and instructions are coherent for a local divination tool and request no credentials or network access. However, the included meihua.py content in the bundle was truncated (the file ended with “…[truncated]”), so you should not install/run this skill until you or someone you trust inspects the complete meihua.py. Specifically: (1) open the full meihua.py and search for network/socket/requests/http imports or calls (requests, urllib, socket, ftplib, paramiko, subprocess, os.system, exec/eval), (2) verify there are no hidden remote endpoints or code-download logic, and (3) run it in a sandboxed environment first if you plan to execute it. If the full file contains only the shown logic (gua generation, formatting, and CLI parsing) then the skill is internally coherent and low-risk.

Purpose & Capability: okName/description (梅花易数占卜) match the provided SKILL.md and the visible meihua.py logic (time/number/direction-based gua generation). Required binary (python3) is appropriate and proportional.
Instruction Scope: okSKILL.md explicitly instructs running the included Python script with time/numbers/direction parameters. The instructions do not ask the agent to read unrelated files, env vars, or contact external services.
Install Mechanism: okNo install spec — instruction-only skill with a local script. No downloads or third-party package installs are requested in the metadata or SKILL.md.
Credentials: okNo environment variables, credentials, or config paths are requested; the skill's logic (as visible) does not need external secrets.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform privileges. It will be run only when invoked.