Skillv1.0.0

ClawScan security

Bazi Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 11:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely implements a Bazi calculator as described, but it contains inconsistencies (declared vs. actual credentials), reads the user's ~/.openclaw/.env, and embeds a strong system-prompt template — patterns that warrant caution before installing.
Guidance: What to consider before installing: - Source trust: the skill's source is unknown and the package contains executable code. Prefer installing only from trusted authors or vetted repos. - Credentials mismatch: the registry lists OPENAI_API_KEY but the skill treats DEEPSEEK_API_KEY as the primary key. Confirm with the author which key is actually required. - .env reading: index.js will load .env files from your current dir, the skill dir, and ~/.openclaw/.env and inject variables into process.env if missing. That means the skill can read other OpenClaw/global configuration (potentially other API keys). If you keep high-value credentials in ~/.openclaw/.env, consider removing or rotating them before testing. - Prompt override: the skill embeds a long system prompt that instructs the LLM to follow the skill's rules and not to reformat output. This is a prompt-injection pattern — it can change the behavior of the model in ways you may not expect. Review the SYSTEM_PROMPT_TEMPLATE in index.js to make sure its rules are acceptable. - Network use: the skill will call external LLM endpoints (DeepSeek or OpenAI) using whatever API key it finds. That means those keys will be used by this skill and requests will go to external services. If you don't want that, run with --no-interpret or remove API keys. - Mitigations: inspect the full source locally; run in a restricted/sandboxed environment; do not keep other sensitive keys in ~/.openclaw/.env while testing; if you install, consider creating a dedicated API key with limited scope and rotate/revoke it after use. - Ask the author: request clarification about DEEPSEEK vs OPENAI credential requirements, why the skill reads ~/.openclaw/.env, and why it enforces the embedded system prompt. If answers are unsatisfactory, avoid installing.
Findings: [system-prompt-override] unexpected: A Bazi calculator that simply formats results would not normally embed a large system prompt meant to override agent behavior. The code includes a SYSTEM_PROMPT_TEMPLATE that instructs the LLM how to behave — this is consistent with the scanner flag and is present in index.js. [base64-block] unexpected: The scanner reported a base64-block pattern in SKILL.md. The provided SKILL.md and code do include explicit prompt text and special formatting; no obvious base64 payload was visible in the truncated code, but the pre-scan flag indicates possible obfuscated content in the skill text. This should be checked in full.

Review Dimensions

Purpose & Capability: noteName, description, and code match a Bazi calculation + LLM interpretation tool and require node. However the registry lists only OPENAI_API_KEY as required while the SKILL.md and runtime prefer DEEPSEEK_API_KEY as the primary credential. The skill also reads .env files (including ~/.openclaw/.env) which expands its scope beyond a simple calculator.
Instruction Scope: concernSKILL.md and index.js contain explicit 'CRITICAL' instructions and embed a large SYSTEM_PROMPT_TEMPLATE that tells the LLM to obey specific domain rules and to prefer the skill's prompt over the agent's own interpretation. The SKILL.md explicitly instructs the agent not to reformat or summarize output. These are effectively prompt-override instructions (prompt-injection patterns were detected) and grant the skill strong control over what the LLM returns.
Install Mechanism: okNo external install script or remote download is present; this is an instruction+code bundle with bundled SDK. Nothing is fetched from arbitrary URLs during install in the provided files.
Credentials: concernRegistry declares only OPENAI_API_KEY required, but SKILL.md and index.js treat DEEPSEEK_API_KEY as primary and fall back to OPENAI. index.js actively loads .env from multiple paths including ~/.openclaw/.env and will inject variables into process.env if not set — this accesses user-global configuration and potentially other skills' secrets. The code will then use whichever API key it finds to call external LLM endpoints.
Persistence & Privilege: concernThe skill does not set always:true and does not appear to alter other skills, but it explicitly reads the user's OpenClaw config (~/.openclaw/.env). Accessing that path is out-of-scope for a single-purpose calculator and increases the skill's effective privilege by exposing broader environment data to the skill at runtime.