ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

bazi-pillars-from-datetime

v1.0.1

Use when a task involves deriving bazi chart data from Gregorian datetime and timezone, or generating a grounded user-language analysis from an existing char...

1· 356·0 current·0 all-time
by@vastaq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (derive 八字 from datetime + produce analysis) aligns with the included code and docs. The code implements date/time, solar-term, and geocoding logic needed for time/location corrections and chart generation. No unrelated services or credentials are required.
Instruction Scope
SKILL.md limits behavior to two modes (chart vs analysis) and documents expected inputs/outputs. main.py reads city map/cache files, may write a cache, and can call online geocoding (nominatim/amap/tencent) when lookup_mode allows — these actions are within the declared purpose but are worth noting because they involve network requests and local file I/O.
Install Mechanism
No install spec (instruction-only with code files). There is no third-party installation, remote archive download, or package install — the code runs locally with standard Python libraries and urllib.
Credentials
Registry lists no required env vars. The SKILL.md and main.py accept optional environment variables (BAZI_GEOCODE_KEY, BAZI_CITY_MAP_PATH, BAZI_CITY_CACHE_PATH, BAZI_GEOCODE_PROVIDER, BAZI_GEOCODE_TIMEOUT) that are proportional to geocoding and caching features. No unrelated or excessive credentials are requested.
Persistence & Privilege
always:false and normal agent invocation. The skill writes/reads its own cache file (default city_cache.json) and a city map path; it does not modify other skills or system-wide agent configs. No elevated persistence privileges requested.
Assessment
This skill appears to do what it says, but consider these practical points before installing: - Network use: if lookup_mode is 'online' or 'auto' the skill will send place names to geocoding services (OpenStreetMap Nominatim, Amap, or Tencent). If you worry about privacy, set lookup_mode to 'local' and provide a local cities.json mapping. - Optional API keys: supply BAZI_GEOCODE_KEY only if you use amap/tencent lookups; otherwise no secrets are required. - Local file I/O: the skill may read a city map and will write a cache file (default city_cache.json in the skill directory or a path you set). Ensure you are comfortable with that file being created/updated. - Autonomy: the skill can be invoked by the agent normally (disable-model-invocation is false), which is standard; there is no 'always:true' privilege. - If you want extra assurance, review main.py and run it in a sandboxed environment, or switch lookup_mode to 'local' to avoid external network calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d8pd89bsdvhe1ka2kfjm8x5836w0t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments