Awesome Bazi Calculator - Cantian AI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local Bazi/calendar calculator, with the main caution that installing it fetches an npm dependency and running it executes local scripts.
This skill looks coherent for local Bazi and Chinese calendar calculations. Before installing, note that it uses npm to fetch a third-party library and then runs local Node scripts; avoid using it in sensitive directories if you do not trust the package source, and treat astrology/fortune outputs as informational rather than professional advice.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run local calculator scripts on your machine or workspace when you ask for Bazi/calendar calculations.
The skill exposes local script execution as its main workflow. This is expected for a local calculator, but users should be aware that invoking the skill can run Node commands with their supplied input.
node scripts/queryFortuneRange.ts '<json>'
Install and run it only in the intended skill directory, and review commands before allowing unusually broad or unexpected inputs.
Installing the skill may fetch third-party package code from npm, and the exact installed version may vary unless locked.
The skill relies on an external npm package with a caret version range, so `npm i` can resolve a newer compatible package version. This is common for Node tools but is still a supply-chain point to notice.
"dependencies": { "cantian-tymext": "^0.0.26" }Prefer a lockfile or pinned dependency version if you need reproducible installs, and install from a trusted environment.