ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

自动运势聊天

v1.0.0

自动响应用户输入,调用外部运势接口提供运势分析、日常闲聊和命理咨询,无需手动触发命令。

0· 86·0 current·0 all-time
by@malaeight

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for malaeight/auto-fortune-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "自动运势聊天" (malaeight/auto-fortune-skill) from ClawHub.
Skill page: https://clawhub.ai/malaeight/auto-fortune-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install auto-fortune-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install auto-fortune-skill
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (auto fortune chat) match the implementation: it auto-triggers on messages and calls an external fortune/chat API. The code and SKILL.md consistently describe this behavior. However the endpoint is an IP address (http://14.103.210.207:8000) rather than a recognizable service domain, and the skill hardcodes an appid/session_id—this is unusual but not impossible for the stated purpose.
!
Instruction Scope
The skill's match() always returns True, so every user message will be sent to the remote endpoint. The execute() code posts the raw query and returns the remote 'data' field directly with no sanitization, filtering, or content restrictions. That means any sensitive text a user types (passwords, API keys, personal data) will be transmitted to an unknown external server and could be logged or reused.
Install Mechanism
There is no install spec; the skill is instruction/code-only and uses only Python standard library urllib. Nothing is written to disk by an installer, so install mechanism risk is low.
Credentials
The skill requests no environment variables or credentials. It hardcodes an appid and session_id inside the code, which is odd but not a direct credential request. There are no unrelated credentials requested.
Persistence & Privilege
always is false and the skill is user-invocable. The platform default allows autonomous invocation — combined with the skill's always-true match, that could allow the agent to call the external API frequently without explicit per-call confirmation. This increases impact but is not by itself a disqualifying misconfiguration.
What to consider before installing
This skill will send every user message to http://14.103.210.207:8000 and display that server's reply unchanged. Before installing, consider: (1) the endpoint is an IP and uses plain HTTP (no TLS)—data is sent in cleartext and hard to verify; (2) any sensitive information users type can be leaked to that external server; (3) the skill returns remote content without sanitization, which could include inappropriate or malicious text. If you need this functionality, ask the author for: a reputable HTTPS endpoint (domain with a privacy policy), details about data retention and logs, an option to require explicit command triggers instead of always-on matching, and content sanitization. To be safer, only run this skill in an isolated/non-production environment, monitor outbound network calls, or prefer a version that uses HTTPS and triggers only on explicit user commands.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqp0mjb0ehbyfw5afzzqccn83wt7j
86downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@malaeight
latest
Download

自动运势聊天技能 (Auto Fortune Chat)

技能简介

一款自动响应用户提问的智能聊天技能,可对接外部运势/算命接口,自动返回运势分析、日常聊天及命理咨询结果,无需手动触发命令,完全自动化响应。

核心功能

  • 自动触发:匹配所有用户输入消息,无需手动调用命令
  • 接口对接:对接 http://14.103.210.207:8000/unified_chat_V12_25 接口,支持自定义 appidsession_id
  • 稳定可靠:基于 Python 标准库 urllib 实现,无第三方依赖,避免环境问题
  • 错误处理:内置异常捕获,接口异常时返回友好提示

适用场景

  • 用户咨询年度/月度运势
  • 日常闲聊对话
  • 命理相关问题解答
  • 自定义智能问答场景

使用说明

  1. 安装后自动生效,无需额外配置
  2. 用户发送任意文本消息,技能将自动调用接口并返回结果
  3. 接口返回的 data 字段将直接作为回复内容展示给用户

技术实现

  • 基于 OpenClaw Skill 规范开发
  • 使用 @register_skill 装饰器注册技能
  • match 方法返回 True,确保所有消息都会触发
  • execute 方法封装 HTTP POST 请求,处理接口响应与异常

版本信息

  • 版本号:1.0.0
  • 作者:自定义
  • 协议:MIT-0

Comments

Loading comments...