Yudao 易经占卜

Files and instructions mostly match a purely front-end divination app, but the SKILL.md contains a prompt-injection signal (unicode-control-chars) and there are some security/usability concerns (default admin creds stored in localStorage, hidden/extra features) that merit review before installing.

What to check before installing or hosting this skill: - Inspect SKILL.md and the HTML files in a text editor that can reveal invisible/control characters. The pre-scan flagged 'unicode-control-chars' in SKILL.md; remove any unexpected control characters. - Open files/index.html and files/admin.html locally and search (plain text) for any network calls (fetch, XMLHttpRequest, img/script src pointing to external domains), eval()/new Function(), or obfuscated code before hosting publicly. The bundle appears to be inline/static, but parts were truncated in the manifest — confirm no remote endpoints. - If you plan to deploy admin.html, change the default credentials immediately (the default is admin / changeme) and understand all user/account data is stored in localStorage (client-side), so it is not a secure server-side user system. - Consider whether you want to host this on a public webserver. The docs reference copying files to /var/www/html; if you do so, ensure proper server access controls so the admin panel and any backups are not exposed to unauthorized users. - Be cautious about features that provide financial, health, or personal predictions (lottery, stock, health symptom interpretation, and '人物特征预测'). They can be privacy-sensitive and may be misleading; the app includes a disclaimer but avoid relying on it for professional decisions. - If you lack the ability to audit the JavaScript yourself, run automated scans (search for network calls and potentially dangerous patterns) or open the pages in an isolated environment (offline browser) to validate behavior. Given the prompt-injection signal in the docs and the weak default admin credential, I recommend manual review of the full HTML/JS before installing or deploying publicly. If you want, I can help search the full index.html/admin.html contents for external requests or suspicious constructs (eval, obfuscated strings) — provide the untruncated file contents and I will analyze them.