Back to skill
Skillv0.0.3
ClawScan security
BaZi Insight Report - Cantian AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 1:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and network endpoints are consistent with its stated purpose (creating anonymous checkout sessions and checking report generation status); it requests no credentials or unusual system access.
- Guidance
- This skill appears to do what it claims: it posts user-provided email, birth datetime, gender, and optional location/nickname to openapi.cantian.ai to create anonymous checkouts and to query report status. Before installing or running it, confirm you trust cantian.ai (the code hardcodes that API and asset domains) and are comfortable submitting personal data (birth date and email) and receiving a payment link. Run the scripts in a controlled environment with Node.js 24, verify payUrl pages use HTTPS and the expected domain before entering payment details, and avoid pasting more sensitive secrets (passwords, API keys) into this flow — the skill does not need them.
Review Dimensions
- Purpose & Capability
- okName/description (bazi report checkout & progress) align with the shipped files and runtime behavior: the scripts create anonymous checkouts and query report status via a fixed cantian.ai API. No unrelated credentials, binaries, or system paths are requested.
- Instruction Scope
- noteSKILL.md instructs running the included Node TypeScript scripts from the skill directory and collecting minimal user data (email, birth time, gender, optional nickname/location). The scripts make network requests to https://openapi.cantian.ai/rest and return pay/download URLs. This is expected for a checkout/report-checking skill, but note that running the skill transmits personally identifying information (email, birth datetime, optional location) to the remote API; users should be aware of that data flow.
- Install Mechanism
- okThere is no install spec that downloads or executes external archives. The package is instruction-only with TypeScript source files; it recommends Node 24 or tsx for running. No high-risk download URLs or obscure installers are used.
- Credentials
- okThe skill requires no environment variables, no credentials, and does not access system config paths. The data it sends (email, birth, gender, location) are required for its stated purpose and are declared in SKILL.md.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request elevated/system-level persistence, and does not modify other skills or global agent configuration. It runs as ephemeral scripts that perform API calls.