ClawHub

vinci-tarot

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This tarot skill appears purpose-aligned: it runs local Python to draw cards and make spread images, with disclosed optional image downloads and no evidence of credential access, exfiltration, or destructive behavior.

This looks like a normal tarot-reading/image-generation skill. Before installing, be comfortable with it running local Python, installing Pillow, optionally using npm tooling only if you regenerate card data, downloading/caching public card images, and writing reading/output files locally.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

No VirusTotal findings for this skill version.

Malicious
0
Suspicious
0
Harmless
0
Undetected
64
View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution
Low
What this means

Using the skill can run local Python code and create files for the reading image, which is expected for this skill but should be understood before installation.

Why it was flagged

The skill explicitly tells the agent to execute local Python code and an image-generation script as part of the tarot reading workflow.

Skill content
call `perform_reading`, save the result as JSON, run the spread-image script, and send the image
Recommendation

Run the skill with normal user permissions, keep output paths in a user-controlled or temporary directory, and do not grant administrator privileges.

#ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The skill may make network requests to download tarot card images and store them locally, but the artifacts do not show user data being sent with those requests.

Why it was flagged

The image feature may fetch public card images from an external website and cache them locally; this is disclosed and purpose-aligned.

Skill content
On **first run**, the script will try to download 78 card images into `cards/`
Recommendation

If you prefer no network access, pre-populate the `cards/` directory with local images or run the skill in an environment where outbound access is controlled.