浅草寺.skill
WarnAudited by ClawScan on May 10, 2026.
Overview
The fortune-telling purpose is harmless, but the included script downloads and executes mutable remote Python code instead of using only bundled fortune data.
Install only if you trust the remote GitHub repository and accept that its future changes can affect what runs locally. A safer version should include the fortune data and drawing script in the package, avoid runtime code downloads, and clearly disclose any network access.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote repository changes, the skill’s behavior can change after installation without the reviewed artifacts changing.
The skill retrieves runtime assets from a mutable GitHub `main` branch rather than from pinned, bundled files.
BASE = "https://raw.githubusercontent.com/Shaozrrr/asakusa-omikuji-skill/main"
Bundle the fortune data and drawing code in the skill package, or pin downloads to an immutable commit and verify checksums before use.
Running the advertised fortune command could execute arbitrary Python with the user’s local permissions if the remote script is modified or compromised.
The local script downloads another Python script and immediately executes it, so reviewed local code is only a launcher for unreviewed remote code.
download(SCRIPT_URL, local_script) ... runpy.run_path(str(local_script), run_name="__main__")
Do not execute downloaded scripts at runtime. Keep the executable logic local and reviewed; if remote execution is unavoidable, require explicit user approval and integrity verification.
Users and agents may trust the skill as a self-contained fortune draw while it actually depends on undisclosed live remote content.
The documentation presents the fortune set as local bundled data, but the file manifest contains no data files and the script instead downloads remote data and code.
用 `data/asakusa_omikuji_part*.json` 作为浅草寺 1-100 签的分片签文来源,运行时自动合并
Make the documentation match the implementation: disclose remote network use clearly, or package the referenced data files with the skill.