Huangxianshi Divination
Security checks across malware telemetry and agentic risk
Overview
This appears to be a benign divination/fortune-drawing skill, with only minor notes about local script execution, small local state, and an optional sunrise helper that can call an external weather site.
This looks reasonable as an entertainment divination skill. Be aware it runs bundled Python code, stores a small local last-draw state, and includes a separate sunrise helper that would call wttr.in if manually used. Do not treat its fortune, health, legal, or financial content as reliable advice.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may run local Python code from the skill package to produce the fortune result.
The skill asks the agent to execute a bundled Python CLI for its core draw and explain workflows. This is disclosed and aligned with the skill purpose, but it is still local code execution.
python3 {baseDir}/scripts/lot_cli.py draw-ritualInstall only if you are comfortable with this bundled local CLI being run for draw/explain commands.
If this helper is manually run, it can make an external network request and keep the process waiting until sunrise.
An included helper script, not described in the main SKILL.md workflow, contacts an external weather service and may wait before running the draw command. It is purpose-adjacent and not shown as automatically invoked.
SUNRISE=$(curl -s "wttr.in/Shanghai?format=%S" 2>/dev/null) ... sleep $((WAIT_MIN * 60)) ... python3 scripts/lot_cli.py draw-ritual
Do not run the sunrise helper unless you intentionally want the wttr.in lookup and possible waiting behavior.
The skill may remember the most recent drawn lot across invocations within its local data file.
The CLI persists the last draw number and timestamp so future 'explain' requests can default to the previous draw. This is purpose-aligned and low sensitivity, but it is persistent state.
LAST_DRAW_PATH = os.path.join(DATA_DIR, 'last_draw.json') ... json.dump({'no': sign.get('number'), 'ts': time.time()}, f, ensure_ascii=False)Treat the last-draw state as local convenience data; clear data/last_draw.json if you do not want prior draw state reused.