ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zodiac Horoscope

v1.3.0

Fetch personalized daily horoscope forecasts from zodiac-today.com API based on natal chart calculations. Use when a user wants: (1) daily guidance on what a...

0· 706·1 current·1 all-time
by@dowands
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose (fetch personalized horoscopes from zodiac-today.com) legitimately requires an API key and a profile ID and may require user birth data — so the runtime requirements in SKILL.md are coherent with the purpose. However, the registry metadata lists no required environment variables or primary credential while SKILL.md explicitly requires ZODIAC_API_KEY and ZODIAC_PROFILE_ID; that registry/manifest mismatch is an integrity concern.
!
Instruction Scope
The SKILL.md instructs the agent to collect sensitive PII (email, birth date, birth city) and explicitly says it may automatically retrieve the verification code 'if the agent has email access (e.g., IMAP)'. That broadens scope to mailbox access (not declared elsewhere) and instructs writing a session cookie file (cookies.txt). Although the doc asks for user consent and to delete cookies.txt, it still directs behaviors (email/IMAP access, temporary cookie storage) that go beyond simple API calls and may require additional privileges the registry doesn't declare.
Install Mechanism
This is instruction-only with no install spec and no code files — minimal install surface and nothing is written to disk by an installer. The only file operation noted is a temporary cookies.txt created by curl in the documented workflow; that is explicitly described and meant to be deleted.
!
Credentials
SKILL.md requires two environment values (ZODIAC_API_KEY and ZODIAC_PROFILE_ID) which are proportional to the API integration. But the registry metadata lists none — a mismatch that could hide required secrets. The skill also requires collection of sensitive PII for natal chart calculations; collecting this data is explainable for the feature but increases privacy risk and requires explicit consent and secure handling. The instructions also mention session cookies and possible automated email access, which implies access to credentials or mailboxes not declared in manifest.
Persistence & Privilege
The skill is not forced-always and is user-invocable; autonomous model invocation remains permitted (the default). The main privilege concern is the instruction to access the user's email (IMAP) to retrieve verification codes — combined with autonomous invocation this could increase blast radius. There is no install-time persistence or system-level privilege escalation requested in the files provided.
What to consider before installing
Before installing: (1) note the manifest mismatch — SKILL.md requires ZODIAC_API_KEY and ZODIAC_PROFILE_ID but the registry metadata doesn't declare them; ask the publisher to correct the metadata. (2) This skill will ask for sensitive PII (email, birth date, birth city) — only collect with explicit consent and store/delete data securely. (3) The runtime doc suggests the agent can automatically read verification emails via IMAP; avoid granting mailbox/IMAP access unless you trust the skill and operator — prefer a manual code-entry workflow. (4) Keep the API key and profile ID in a dedicated, least-privilege environment (or ephemeral secrets), and delete temporary cookie files as instructed. (5) Because this is instruction-only, there was no code to scan; that reduces evidence about hidden behavior — if you need higher assurance, request a signed author/source and a manifest update listing the required env vars and exact scopes (email access, cookie storage).

Like a lobster shell, security has layers — review code before you run it.

latestvk97d0wn6c4aw9h9w1xy4cc386h8162t6
706downloads
0stars
4versions
Updated 5h ago
v1.3.0
MIT-0
@dowands
latest
Download

Zodiac Horoscope

Provide personalized, actionable daily guidance powered by planetary transit calculations against the user's natal chart.

Required Environment Variables

VariableDescription
ZODIAC_API_KEYAPI key from zodiac-today.com (starts with hsk_)
ZODIAC_PROFILE_IDProfile ID for the user's birth chart

Privacy Notice

This skill collects sensitive PII (email, birth date, birth city) required for natal chart calculations. Handle with care:

  • Ask for explicit user consent before collecting birth information
  • Never log or expose PII in public channels or shared contexts
  • Store API keys and profile IDs in environment variables, not in plain text files
  • Delete cookies.txt after registration is complete

How This Helps People

  • Daily decision-making: "Should I have that difficult conversation today?" → Check if confrontations are favorable or unfavorable
  • Schedule optimization: Plan high-energy tasks on high-energy days, rest on low days
  • Life event planning: Find the best window for job interviews, first dates, travel, or big purchases (paid tiers unlock future dates)
  • Relationship insights: Romance metrics help users pick ideal date nights
  • Motivation & mindfulness: Daily summaries provide a moment of reflection and intentional living

Setup

Everything can be done via API — no browser needed.

1. Register & get API key

# Send verification code (creates account if new)
curl -s -X POST https://zodiac-today.com/api/auth/send-code \
  -H "Content-Type: application/json" \
  -d '{"email":"user@example.com"}'

# Verify code (check email inbox for 6-digit code)
curl -s -X POST https://zodiac-today.com/api/auth/verify \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{"email":"user@example.com","code":"123456"}'

# Create API key (use session cookie from verify step)
curl -s -X POST https://zodiac-today.com/api/keys \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"name":"My Agent"}'
# Response: {"id":"...","key":"hsk_...","name":"My Agent"}

Store the hsk_ key as environment variable ZODIAC_API_KEY. Delete cookies.txt after this step.

2. Create birth profile

curl -s -X POST https://zodiac-today.com/api/profiles \
  -H "Authorization: Bearer hsk_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"name":"John","birthDate":"1990-05-15","birthCity":"London, UK"}'

Save the returned id as environment variable ZODIAC_PROFILE_ID.

Workflow

First-time setup for a user

  1. Ask for their email, birth date, and birth city (get explicit consent — this is sensitive PII)
  2. Send verification code: POST /api/auth/send-code with their email
  3. Human-in-the-loop: Ask the user to check their email and provide the 6-digit code. If the agent has email access (e.g., IMAP), it may retrieve the code automatically from noreply@zodiac-today.com
  4. Verify code: POST /api/auth/verify — save session cookie to a temp file (-c cookies.txt)
  5. Create API key: POST /api/keys (with session cookie) — save the returned hsk_ key
  6. Clean up: Delete cookies.txt immediately — it is no longer needed
  7. Create profile: POST /api/profiles (with API key) — save the returned profile id
  8. Store ZODIAC_API_KEY and ZODIAC_PROFILE_ID as environment variables

Daily horoscope fetch

  1. Call GET /api/horoscope/daily?profileId=$ZODIAC_PROFILE_ID&startDate=YYYY-MM-DD&endDate=YYYY-MM-DD with Authorization: Bearer $ZODIAC_API_KEY
  2. Parse the response and present actionable insights

Presenting results to users

Translate raw data into practical advice:

  • overallRating (1-10): Frame as "Great day!" (8+), "Solid day" (6-8), "Take it easy" (<6)
  • favorable/unfavorable: Present as "Good for:" and "Better to avoid:" lists
  • metrics: Highlight the standout ones — "Your energy is HIGH today, perfect for tackling that project"
  • luckyColors: Suggest outfit or decor choices
  • luckyNumbers: Mention casually, fun touch
  • summary: Use the astrological narrative to add color, but keep advice grounded and practical

Planning ahead (paid tiers)

For users with Starter+ tiers, fetch date ranges to help:

  • "What's the best day this month for my job interview?"
  • "When should I plan our anniversary dinner?"
  • Compare overallRating across dates and recommend the highest-rated windows

API Details

See references/api.md for full endpoint docs, parameters, tiers, and response schemas.

Example curl

curl "https://zodiac-today.com/api/horoscope/daily?profileId=PROFILE_ID&startDate=2026-02-15&endDate=2026-02-15" \
  -H "Authorization: Bearer hsk_your_api_key"

Comments

Loading comments...