ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Astrology API

v1.0.2

Astrology API: generate natal charts, synastry, composite, transits, solar/lunar returns, progressions, directions, planetary positions, house cusps, aspects...

1· 473·2 current·2 all-time
bySergii Solonyna@serslon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, README, SKILL.md, and the included curl wrapper all consistently target the Astrology API (https://api.astrology-api.io). Requiring curl and ASTROLOGY_API_KEY is proportionate and expected for a REST API integration.
Instruction Scope
Runtime instructions ask the agent to collect personal birth data (name, birth date/time, location) — this is necessary for astrology functionality but is sensitive personal data. The SKILL.md and scripts instruct calls only to the declared API endpoints; they do not read other system files. One minor mismatch: the script supports an optional ASTROLOGY_API_URL environment variable (to override base URL) but SKILL.md frontmatter only declares ASTROLOGY_API_KEY.
Install Mechanism
No install/spec fetches arbitrary code. This is an instruction-only skill with a small, non-obfuscated bash script wrapper that calls curl; no remote downloads or extracted archives are present in the bundle.
Credentials
Only ASTROLOGY_API_KEY is required (primary credential). That single credential is appropriate for authenticating to the third‑party API. The script optionally reads ASTROLOGY_API_URL (not declared as required) — harmless but worth documenting. The skill will transmit user-provided PII (birth data) to the API endpoint.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install behavior that writes privileged system/config files. Agent autonomous invocation is enabled by default (normal); this skill does not add elevated persistence.
Scan Findings in Context
[pre-scan-injection-signals] expected: Static pre-scan reported no injection or suspicious patterns. The code contains only a straightforward curl wrapper and API documentation; that is expected for this purpose.
Assessment
This skill is coherent: it calls a public astrology API using curl and an ASTROLOGY_API_KEY. Before installing, confirm you trust the third-party service (https://api.astrology-api.io) and obtain the API key from its dashboard. Be aware the skill will send sensitive personal data (birth date/time, location, names, and possibly partner data) to the remote API — review the service's privacy policy if you are concerned about retention or sharing. Protect the ASTROLOGY_API_KEY like any secret (do not paste it into public logs), and consider rotating the key if it may have been exposed. Note: you can override the base URL with ASTROLOGY_API_URL, though SKILL.md does not list this as required; only use that override if you control the replacement endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk97066s0da4j3wghtvwpraffg181rz4s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binscurl
EnvASTROLOGY_API_KEY
Primary envASTROLOGY_API_KEY

Comments