Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
紫微斗数排盘解盘
v1.0.0通过 zwds-cli(Node、iztro 2.5.0)生成紫微斗数结构化命盘 JSON,并仅依据该 JSON 解盘。在用户提及紫微斗数、排盘、命盘、十二宫、四化、解盘、生辰八字时辰、命宫、大限、流年时使用。含 iztro 官方 API 速查;禁止 py-iztro 与脱离 JSON 臆造星曜。真太阳时与地名规...
⭐ 0· 24·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description promise (generate a 紫微斗数 structured chart and base readings on that JSON) matches the bundled code and SKILL.md. The repo contains a CLI (zwds-cli) that uses iztro@2.5.0 to produce JSON and includes local longitude data. The only external dependency is the iztro npm package, which is appropriate for this purpose; there are no unrelated credentials, binaries, or surprising platform requirements.
Instruction Scope
SKILL.md gives narrow, explicit runtime rules: run the included zwds-cli from its directory, feed JSON via stdin, use the CLI output 'data' as the sole factual source for readings, and explicitly forbid using py-iztro, external online charting/geocoding, or inventing stars. The instructions reference only local files bundled with the skill (zwds-cli/data/longitudes.json, fixtures, etc.) and standard Node operations—no guidance asks the agent to read unrelated system files or exfiltrate data.
Install Mechanism
There is no platform-level install spec, but SKILL.md instructs the user/agent to run 'npm ci' inside zwds-cli. This will download iztro and its npm dependencies from the public registry (normal and expected). The repo also ships helper scripts (generate-longitudes) that, when manually run, will perform many HTTP requests to GitHub raw content and geo.datav.aliyun.com to regenerate the local longitudes database—this is optional and should not be run in sensitive environments without review. Overall installation actions are proportionate to the task but involve normal npm network activity.
Credentials
The skill declares no required environment variables, no credentials, and no config paths outside its own directory. The code reads/writes files under the skill's tree (fixtures, data) and may spawn the local Node process for save-fixture; these are proportional to generating/storing charts. No hidden secrets or unrelated service tokens are requested.
Persistence & Privilege
always is false and the skill does not request permanent platform inclusion or elevated privileges. It writes optional fixture files inside its own repository tree when using save-fixture, which is expected behavior and limited in scope. It does not modify other skills' configs or system-wide settings.
Assessment
This skill appears internally coherent and does what it says: run the included Node CLI to produce a zwds JSON and base readings only on that JSON. Before installing or running: 1) be aware 'npm ci' (as instructed) will fetch iztro and other npm packages from the public registry—review package-lock.json / integrity hashes if you need supply-chain assurance; 2) do not run the optional generate-longitudes script unless you want it to perform many network requests to GitHub and geo.datav.aliyun.com; 3) the save-fixture utility spawns a Node process and writes files into the skill directory—expect local disk writes if you use it; 4) if you are in a shared or restricted environment, run npm install / the CLI in an isolated environment or review iztro package contents first. Otherwise the skill is coherent and proportionate to its stated purpose.zwds-cli/scripts/save-fixture.mjs:35
Shell command execution detected (child_process).
zwds-cli/test/golden.test.js:65
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
astrologyvk973b1d3dm2g6c6aex0yvzmkad84bmgmfortune-tellingvk973b1d3dm2g6c6aex0yvzmkad84bmgmlatestvk973b1d3dm2g6c6aex0yvzmkad84bmgmziweivk973b1d3dm2g6c6aex0yvzmkad84bmgm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.