Skillv1.0.0

ClawScan security

bazi-fortune-analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 10, 2026, 11:59 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested inputs and runtime instructions are consistent with a BaZi (八字) fortune‑analysis assistant; it asks for personal birth data (expected) but does not request unrelated credentials, installs, or hidden endpoints.
Guidance: This skill is internally coherent for BaZi analysis, but it will ask for sensitive personal data (exact birth date/time and birthplace). Before installing or invoking: (1) confirm how the agent will compute timezone/true‑solar time — will it use offline logic or call external APIs? (2) ask whether birth data is transmitted or stored externally and for how long; avoid supplying exact birth place/time if you do not trust the runtime environment. If you need stronger privacy, request a local/offline implementation or review the concrete code/runtime that performs calendrical/ephemeris lookups.

Review Dimensions

Purpose & Capability: okName/description (BaZi fortune analysis) matches the SKILL.md instructions: collect birth date/time/place, compute four pillars, five‑elements, ten‑gods, patterns, big luck/year luck and produce thematic readings. No unrelated binaries, env vars, or system paths are required.
Instruction Scope: noteInstructions correctly tell the agent to ask for birth year/month/day/time/place/gender and to compute calendrical conversions, true solar time and solar‑term boundaries. These are in‑scope for BaZi analysis, but they require accurate timezone/longitude and astronomical rules; the SKILL.md does not supply algorithms or explicit guidance about whether external time/ephemeris lookups or libraries may be used. It also suggests using appearance/personality to infer uncertain birth times, which broadens data collection but remains related to the stated purpose.
Install Mechanism: okInstruction‑only skill with no install spec and no included code files — nothing will be written to disk by an installer. This minimizes install‑time risk.
Credentials: noteThe skill requests no environment variables, credentials, or config paths (appropriate). However, it asks for sensitive personal data (exact birth time and birthplace). Because SKILL.md expects precise timezone/longitude and true solar time computation, an implementation may perform external lookups; the SKILL.md does not declare or constrain network calls or storage of that PII.
Persistence & Privilege: okNo elevated privileges shown: always:false, no install hooks, no config writes described. Autonomous invocation is allowed by default but not combined with other privilege or credential requests.