ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Destiny Fusion Pro

v1.0.3

Premium destiny consultation skill combining Ziwei Doushu and Bazi in one offline workflow. Use when the user wants a flagship, consultation-style report fro...

3· 660·0 current·0 all-time
byLi Xin@spyfree
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included code: both Python and JS engines implement Ziwei and Bazi calculations and produce markdown/JSON output. That capability is coherent with the skill's stated purpose. However, the skill claims 'offline-first' but relies on third-party libraries (iztro/iztro-py, lunar_python, possibly cairosvg) which are not declared in an install spec; this is an omission that affects reproducibility and trust.
!
Instruction Scope
SKILL.md recommends running the included python script with specific flags (e.g. --time 15:30) and documents engine choices py|js|dual. The JS script, however, expects different CLI arguments (it requires --time-index rather than a human-readable --time), and the Python script will raise a ModuleNotFoundError unless iztro-py is installed (it even suggests pip install in code). SKILL.md also states 'Fully offline; use no web search', and the code itself does not perform network I/O, but the instructions do not tell the user how to satisfy package dependencies or which package versions to trust.
Install Mechanism
There is no install specification. The repository includes runnable scripts, but they import external packages (e.g., lunar_python, iztro_py in Python; iztro in Node) that must be installed manually. Absence of an explicit install manifest (requirements.txt, package.json, or install steps) is a mismatch and reduces reproducibility and safety posture, but there is no evidence of downloads from unknown URLs in the provided files.
Credentials
The skill declares no required environment variables, credentials, or config paths. The code does not attempt to read secrets or system config paths in the included files. This is proportionate to its stated purpose.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false). It doesn't attempt to modify other skills or system-wide configs in the provided code or instructions.
What to consider before installing
This skill contains local Python and Node scripts that perform the astrology calculations you expect, but before installing or running it: 1) Ask the publisher/author for an install manifest (requirements.txt, package.json) or explicit dependency list and pinned versions for iztro, iztro-py, lunar_python, and any chart/backends (cairosvg). 2) Verify the source and trustworthiness of the iztro/npm and pip packages (these third-party libs will run code on your machine). 3) Note the mismatch between the SKILL.md example flags and the JS script (--time vs --time-index); confirm the correct invocation for each engine. 4) Run the code in a sandbox or isolated environment (or review the installed packages) before using with real personal data. 5) If you need true offline assurance, request an explicit statement or packaging that includes all dependencies vendored or a reproducible install script; otherwise treat the skill as requiring additional setup and vetting.

Like a lobster shell, security has layers — review code before you run it.

latestvk971x393h0yvbk9kr146yk5qe182k4va

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments