ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ziwei Doushu

v1.0.2

Professional Ziwei Doushu consultation skill with offline, Beijing-standard calculation rules. Use when the user wants a polished Ziwei report from birth dat...

2· 653·2 current·2 all-time
byLi Xin@spyfree
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Ziwei Doushu astrology) aligns with the included Python and Node scripts which call iztro/iztro_py to compute charts and produce JSON/optional images. The code artifacts and reference docs are consistent with the stated product (chart facts + interpretation).
!
Instruction Scope
SKILL.md states 'Offline only; no network dependency' and recommends running the Python script directly, but the Python script attempts to import iztro_py and raises an error asking the user to 'pip install iztro-py' if missing. The Node script imports 'iztro'. There is no install spec explaining whether these libraries are bundled or must be fetched, so in practice installing dependencies would likely require network access, contradicting the offline claim. Additionally, the SKILL.md recommended CLI (--time as HH:MM) does not map directly to the Node script which requires --time-index and different argument names, creating ambiguity in dual/JS engine usage.
!
Install Mechanism
No install specification is provided even though the scripts import third-party libraries (iztro_py for Python, iztro for Node, and optionally cairosvg for chart rendering). That means the skill will either fail if those packages are not preinstalled, or require the user/agent to install packages from PyPI/NPM at runtime (network). The lack of an explicit, trusted install source or vendor package increases operational ambiguity and risk.
Credentials
The skill declares no required environment variables or config paths and the code does not read environment variables, system credentials, or arbitrary files. There is no evidence of requests for unrelated secrets or broad system access.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify agent/system configuration. It runs as a transient script and does not persist credentials or enable permanent presence.
What to consider before installing
This skill appears to be a legitimate offline Ziwei chart generator, but there are important inconsistencies you should resolve before installing: (1) SKILL.md says 'offline only' yet the packaged scripts import third-party libraries (iztro_py, iztro, possibly cairosvg). If those libraries are not already present, installing them will require network access. (2) There is no install specification or packaged dependencies — you should confirm whether the runtime environment already includes iztro_py/iztro and any image backends, or be prepared to install them from PyPI/NPM from trusted sources. (3) The Python and Node scripts use different command-line argument names (e.g., --time vs --time-index); test the 'dual' engine mode and the CLI flags to ensure consistent behavior. If you cannot confirm bundled dependencies or are uncomfortable allowing the agent to install packages from the network, treat the skill as unusable until dependencies are explicitly provided or an install spec from trusted release sources is added. There is no sign of network exfiltration or secret access in the code, so the primary issues are dependency/install ambiguity and CLI mismatches rather than malicious behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk9702xq8gh0nhp8w2xknbr0vkd82jewq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments