Skillv1.0.0

ClawScan security

Bazi Calculator - Shunshi AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 3:15 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with a local Bazi chart calculator: it runs a local Node script that depends on an npm library and does not request extra credentials or system access.
Guidance: This skill appears to be what it claims: a local Node.js Bazi calculator that depends on the npm package shunshi-bazi-core. Before installing or running: (1) Inspect the shunshi-bazi-core package (npm page / repository) for its source, published version, and any install scripts (postinstall) — malicious packages can execute code during npm install. (2) Run npm install in an isolated environment (container or sandbox) if you cannot verify the dependency. (3) The calc.mjs script itself only prints JSON and does not exfiltrate data, but be cautious about how you resolve city coordinates: if you or the agent call external geocoding services to get lat/lon, you may send the user's birth/place data to third parties. Prefer user-supplied coordinates or a trusted/local lookup. (4) Consider pinning a specific dependency version instead of a caret range and auditing its code before long-term use. If you want, I can fetch and summarize the shunshi-bazi-core package (its npm metadata and repository) to help you evaluate it further.

Review Dimensions

Purpose & Capability: okName/description match the actual behavior: the skill runs a local Node.js calculator (scripts/calc.mjs) and depends on the shunshi-bazi-core package. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope: okSKILL.md confines runtime actions to collecting birth info from the user and running the provided calc.mjs script. It does not instruct the agent to read arbitrary files, access environment secrets, or transmit results to external endpoints. The only possible outward action is using 'world knowledge' to find lat/lon for city names — that is a behavioral guideline, not an instruction to call a specific external API.
Install Mechanism: noteThere is no platform install spec in the registry, but SKILL.md instructs running 'npm install' which will fetch shunshi-bazi-core from the npm registry. This is expected for a Node-based skill, but installing third‑party npm packages can run lifecycle scripts (pre/postinstall) and execute code locally — review the dependency before install or run in an isolated environment.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The provided calc.mjs only consumes CLI args and does not read environment secrets.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent/system privileges. It does not modify other skills or global agent settings; running npm will create node_modules in the skill directory (normal for Node projects).