Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Zhouyi Divination
v0.1.0周易综合占卜系统 — 基于用户八字命盘,结合多种传统术数(梅花易数、马前课、六爻、奇门遁甲、紫微斗数、大六壬等)进行专业命理分析和事件占卜。每次占卜由八位专家会诊,给出理性、专业、不奉承的综合判断。
⭐ 0· 484·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (divination based on a user's birth data) reasonably requires access to the user's birth information, but the SKILL.md mandates reading a specific absolute file (/Users/taisenzhuang/.openclaw/workspace/zhouyi-divination/mingzhu.md) and USER.md in the workspace. The metadata declares no required config paths or credentials, so the hard-coded local path and expectation to load local personal data are not aligned with the declared requirements and appear inappropriate for a generic published skill.
Instruction Scope
Runtime instructions explicitly require: (1) reading USER.md and a specific file under a particular user's home directory, and (2) always automatically saving every analysis to an iCloud Documents path without asking the user. Both actions access persistent user data and system paths outside the skill bundle and perform automatic external writes; these go beyond a minimal instruction set and raise privacy and surprise-persistence concerns.
Install Mechanism
This is an instruction-only skill with no install spec or external downloads, which is the lowest-risk installation model. There is no code to be written to disk by the skill package itself.
Credentials
Although the manifest lists no environment variables or credentials, the SKILL.md expects access to specific local filesystem locations (including a hard-coded username path) and to the user's iCloud Documents folder. Requesting access to arbitrary files and writing to iCloud is a disproportionate implicit privilege relative to the skill metadata and should have been declared and gated explicitly.
Persistence & Privilege
The skill requires automatically creating and persisting reports in the user's iCloud Documents directory on every invocation, without user confirmation. While the skill is not 'always: true', its built-in requirement to persist data by default is a persistent side-effect that affects user privacy and storage and should be under explicit user control.
What to consider before installing
Before installing or enabling this skill, consider the following: (1) The SKILL.md demands reading a specific local file path (/Users/taisenzhuang/...) and USER.md — confirm whether those paths match your environment and inspect those files for sensitive data. (2) The skill will automatically save every analysis to your iCloud Documents folder; if you don't want automatic writes, do not enable the skill until the behavior is changed to require explicit user consent. (3) Ask the publisher to remove hard-coded absolute paths and instead prompt the user for the data file or accept pasted input; the skill should declare any config paths it needs in its metadata. (4) Test the skill in a sandboxed environment first (or with dummy data) to see exactly what files it reads/writes. (5) If you proceed, monitor the specified iCloud folder for created files and ensure nothing sensitive is being stored. (6) If you are unsure about the source (homepage is none, source unknown), prefer not to install or only install after the author provides clearer, non-hardcoded I/O behavior and explicit consent flows.Like a lobster shell, security has layers — review code before you run it.
latestvk97f9045yypt5ktwwy3vnc41s181zrp7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.