bazi-analysis
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This BaZi analysis skill appears purpose-aligned, but users should know it may send birth time and gender to a third-party charting API.
This skill is reasonable for BaZi analysis, but install it only if you are comfortable with fallback charting through yoebao.com. To minimize data sharing, provide your own pre-calculated chart and do not provide any wallet credentials, passwords, or tokens.
Publisher note
ASI03 误报陈述 验证结果:对本 Skill 全部 61 个文件执行全文搜索,搜索模式覆盖 wallet、credential、 token、private_key、sensitive、require,结果为零命中。 误报原因推断: 两项信号(requires-wallet、requires-sensitive-credentials)不出自本 Skill 的任何源文件——SKILL.md、openai.yaml、evals.json、fetch_bazi.py 及全部 9 个 reference 文档中均不包含上述关键词或等价语义。信号极可能来自: - 平台打包/注册时注入的模板默认值,发布者未找到关闭入口; - 或扫描器对 scripts/fetch_bazi.py 中的通用变量名(如 URL 参数 sex、timestamp、do )产生了关键词误匹配。 实际能力边界: ┌──────────────────────────┬──────────────────────────┬──────────────────────────┐ 能力 │ 本 Skill 是否使用 │ 证据 │ ├──────────────────────────┼──────────────────────────┼──────────────────────────┤ 网络出站 │ 是(仅限 yoebao.com │ scripts/fetch_bazi.py │ │ 排盘 API 的匿名 GET) │ 第 32-36 行 │ ├──────────────────────────┼──────────────────────────┼──────────────────────────┤ 钱包访问 │ 否 │ 全文零命中 │ ├──────────────────────────┼──────────────────────────┼──────────────────────────┤ 敏感凭据 │ 否 │ 全文零命中 │ ├──────────────────────────┼──────────────────────────┼──────────────────────────┤ 文件写入 │ 仅限自身目录 │ 全部 reference 为只读 │ │ │ Markdown │ └──────────────────────────┴──────────────────────────┴──────────────────────────┘ 请求处置:将 requires-wallet 和 requires-sensitive-credentials 标记为误报(False Positive)。本 Skill 的八字排盘脚本为无鉴权的公开 API 调用,命理分析全程不涉及任何钱包、支付或凭据操作。
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide only raw birth information, the agent may run the helper script to calculate the chart rather than asking you to confirm first.
The skill can invoke a local helper automatically for fallback charting. This is purpose-aligned and scoped, but users should notice that a tool action may occur.
如果用户没有提供排好的八字,只提供了出生时间,请静默调用 `scripts/fetch_bazi.py` 获取四柱和大运数据。
If you do not want automatic chart lookup, provide your own pre-calculated four pillars or ask the agent not to call the API.
A third-party service may receive and log the birth timestamp and gender used for the chart calculation.
The helper sends the user’s birth date/time converted to a timestamp plus gender to a third-party API over HTTPS GET for chart calculation.
API_URL = "https://yoebao.com/bazi/api/bazi.php" ... url = f"{API_URL}?do=bytime&sex={sex}×tamp={timestamp}"Use a pre-calculated BaZi chart if you do not want birth details sent to yoebao.com, and avoid providing unnecessary personal identifiers.
The registry signals may be confusing, but the provided artifacts do not show the skill asking for or using wallet credentials.
The capability signals mention wallet and sensitive credentials, but the requirements and reviewed source do not show any wallet or credential use.
Capability signals: requires-wallet; requires-sensitive-credentials ... Primary credential: none
Do not provide wallet keys, passwords, tokens, or other credentials to this skill; the publisher should correct the capability metadata if it is inaccurate.