ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lunar Calendar

中国农历/阴历的专业查询工具。 核心能力: - 公历转农历(干支纪年、生肖、闰月标志) - 农历转公历(支持闰月精准转换) - 黄历宜忌查询(嫁娶、动土、开市等) - 节气查询(24节气精准到秒级) 触发场景:当用户询问"农历"、"黄历"、"宜忌"、"阴历"、"八字基础"、"春节日期"、"闰月"或需要处理中国传统历法计算时强制激活。 输出物:结构化日期信息 + 宜忌表 + 节气标识。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 722 · 4 current installs · 4 all-time installs
by@hehuibiao
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the included calendar and fortune features and the SKILL.md enforces using a local calculator script. However the package also includes release/publish automation (LAUNCH_NOW.sh, github_auto_setup.sh, create_github_repo.sh, publish scripts, many docs instructing to push to GitHub and post to a community). The metadata declares 'instruction-only' and no required env vars, but the repository contains tooling that would legitimately require credentials (GITHUB_TOKEN) and network access — that is inconsistent with the minimal requirements declared.
!
Instruction Scope
SKILL.md confines runtime behavior tightly (call scripts/lunar_calculator.py; read reference files only when needed) which is good. But the skill bundle also contains many auxiliary scripts and prose that instruct publishing to GitHub and community sites (LAUNCH_NOW.sh, github_auto_setup.sh, GITHUB_* guides). Those scripts perform remote actions (curl to GitHub API, git push) and require a GITHUB_TOKEN, yet SKILL.md does not mention invoking them. If an agent or operator follows other included docs, it could run network/publish operations not required for calendar queries. The presence of a top-level simplified lunar_calendar.py (which is inaccurate) alongside a larger scripts/lunar_calculator.py is also a potential source of confusion/incorrect execution.
Install Mechanism
No formal install spec is declared (instruction-only in registry), which minimizes automatic install risk. But included docs and scripts expect installing Python dependencies (lunardate, cnlunar) and creating/pushing GitHub releases (tarball creation). There are no downloads from obscure URLs in the manifest, but the package includes automation that would fetch/push to GitHub if executed manually or by an agent.
!
Credentials
Registry metadata claims no required env vars or credentials, but scripts in the bundle explicitly require GITHUB_TOKEN (github_auto_setup.sh) and the guidance shows pushing to a repo via an auth-embedded remote URL. That is a direct mismatch: the skill may request or attempt to use a GitHub token for publishing which is unrelated to the core lunar/黄历 functionality. This creates a high risk of accidental credential exposure if these scripts are run. No other secrets are declared, but multiple files reference network endpoints (GitHub, community site) and publishing steps.
Persistence & Privilege
The skill does not request always:true and defaults allow autonomous invocation (the platform default). Nothing in the metadata indicates it modifies other skills or system-wide settings. However the included automation can create a remote GitHub repo and push the entire skill directory, which could leak local files or metadata to an external host — a persistence/exfiltration concern only if those publish scripts are run.
What to consider before installing
This package appears to implement the stated lunar/黄历 features, but it also bundles GitHub/community publishing automation that expects a GITHUB_TOKEN and network push actions that are not declared in the skill metadata. Before installing or running: 1) Treat the repo as code+tools, not just an instruction-only skill — review scripts/ for any network or publish actions. 2) Do NOT set or expose a GitHub token to this skill unless you intend to publish the repository; github_auto_setup.sh and LAUNCH_NOW.sh will use GITHUB_TOKEN or embed credentials in remote URLs (which can leak). 3) If you only want calendar queries, restrict the agent to call the specific calculator script (scripts/lunar_calculator.py) and disable/omit running any publish/upload scripts. 4) Audit which lunar script the runtime will call — the top-level lunar_calendar.py is a simplified/approximate implementation; the authoritative calculator lives in scripts/ (verify which actual script is executed). 5) Because the source owner/homepage are unknown, prefer running the calculator in a sandbox or reviewing the Python code and third‑party dependencies (lunardate, cnlunar) locally before allowing autonomous runs or granting tokens. If you want, I can list the exact lines in the publish scripts that use GITHUB_TOKEN and suggest safe edits to neutralize publishing behavior.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.9.0
Download zip
latestvk977fyhbwkjkfbn4mhd1525t59813cvg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

<skill_body>

🎯 Purpose

提供精确到秒级的中国传统农历(夏历)转换与查询服务。本技能是确定性计算任务,严禁依赖大模型内部参数化的农历记忆(该记忆存在闰月错位风险),必须通过脚本执行可靠算法。

⏰ When to Use

  • ✅ 用户输入中包含"农历"、"阴历"、"黄历"、"宜忌"、"干支"、"生肖"、"节气"
  • ✅ 需要将公历日期转换为"乙巳年、正月十五"等中式表述
  • ✅ 需要判断某日是否"宜嫁娶"、"忌开市"
  • ✅ 查询二十四节气的具体交节时刻
  • ❌ 用户仅询问"今天是几号"(请留给通用对话能力)

🧠 Process (低自由度·严格模式)

步骤1:意图识别与参数提取

  • 判断转换方向:公历→农历 / 农历→公历 / 宜忌查询
  • 提取核心参数:
    • 公历日期(如 2026-02-13
    • 农历表述(如 二零二六年腊月廿三闰七月
    • 具体需求(仅日历/仅宜忌/详细解读)

步骤2:调用专用脚本(严禁自行编写)

<critical_rule status="最高优先级"> 你不得尝试用Python代码现场计算农历。农历涉及复杂置闰规则和定朔算法,运行时现场编写的代码存在计算错误风险。 你必须直接调用 scripts/lunar_calculator.py。 </critical_rule>

  • 调用格式示例:
python scripts/lunar_calculator.py --solar 2026-02-13
python scripts/lunar_calculator.py --lunar "2026-07-23" --leap false
python scripts/lunar_calculator.py --solar 2026-02-13 --with-fortune true

步骤3:按需加载参考资源

  • 如需输出"详细宜忌解读",必须先读取 references/fortune_rules.md
  • 如需解释"节气原理",读取 references/solar_terms.md
  • 严禁将上述Reference全文塞入上下文,仅读取所需章节。

步骤4:结构化组装输出

强制使用以下固定模板,禁止自由发挥格式:

<lunar_query_result>
<solar_date>{{输入或计算出的公历日期}}</solar_date>
<lunar_date>
  <year>{{干支年}}({{生肖}})</year>
  <month>{{农历月}}{{闰月标识}}</month>
  <day>{{农历日}}</day>
  <festival>{{若有传统节日}}</festival>
</lunar_date>
<solar_term>{{节气名称}}({{交节时间}})</solar_term>
<fortune>
  <suitable>{{宜:条目1、条目2}}</suitable>
  <avoid>{{忌:条目1、条目2}}</avoid>
</fortune>
</lunar_query_result>

🔍 Decision Logic

graph TD
A[用户输入] --> B{包含农历/黄历关键词?}
B -->|否| C[不激活技能]
B -->|是| D{具体请求类型?}
D -->|公历转农历| E[提取日期→调用lunar_calculator.py --solar]
D -->|农历转公历| F[解析农历字符串→调用lunar_calculator.py --lunar]
D -->|查询宜忌| G[调用脚本+读取fortune_rules.md]
E --> H[组装XML输出]
F --> H
G --> H

⚠️ Constraints(防走偏)

  1. 禁用模糊表述:如"大概是"、"我记得农历好像是"。农历是精确历法,必须输出确定结果。
  2. 闰月处理:输出农历月时必须显式标注"闰"字(如"闰七月"),脚本已内置判别逻辑。
  3. 时间范围:本技能支持1900-2100年(脚本算法覆盖范围),超出需提示用户。
  4. 黄历输出:仅输出传统历书规定的宜忌项,不添加现代演绎内容(如"宜发朋友圈")。 </skill_body>

Files

30 total
Select a file
Select a file to preview.

Comments

Loading comments…