Skillv1.0.0

ClawScan security

奇门遁甲排盘 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 25, 2026, 11:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (local Qimen Dunjia charting and interpretation); it requires only Node and does not request unrelated credentials or install remote code, though some advertised output features (Feishu/email) lack declared credentials.
Guidance: This skill appears coherent: it bundles a Node-based Qimen Dunjia engine and CLI and only needs Node to run. Before installing or running: 1) inspect the omitted script files (remaining scripts) if you want to be certain there are no network calls or unexpected operations; 2) if you expect Feishu document creation or email reports, ask the author how to supply Feishu/API or SMTP credentials—those are not declared in the skill metadata and likely must be provided manually or are not implemented; 3) run the CLI in a controlled environment (e.g., local machine) to review outputs; 4) avoid supplying any sensitive secrets to the skill unless you confirm where they will be stored/transmitted. Overall the package looks consistent with its stated purpose and does not ask for disproportionate permissions.

Review Dimensions

Purpose & Capability: okThe name/description (奇门遁甲排盘与解盘) align with included JavaScript scripts (engine, gejus, interpret, format, main) and the SKILL.md. The declared binary requirement (node) is appropriate for running the provided scripts. There is no unrelated access requested (no cloud provider credentials, no system-level config paths).
Instruction Scope: noteRuntime instructions simply run the included Node CLI (node scripts/main.js ...) and ask the agent to collect a time and a question. The SKILL.md does advertise multi-output formats (Feishu doc, email), but the skill declares no environment variables or credential requirements for Feishu/SMTP; either those features are unimplemented/optional or they rely on user-supplied configuration not declared here. Otherwise the instructions do not direct the agent to read unrelated files or secrets.
Install Mechanism: okThere is no network install; all scripts are bundled in the skill and the SKILL.md explicitly expects Node.js to run them. No external downloads, package installs, or archive extraction are present in the provided metadata.
Credentials: noteThe skill requests no environment variables or secrets (proportionate). However, SKILL.md mentions creating Feishu documents and sending email reports while requires.env is empty; if those outputs are intended, the code would need API keys or SMTP creds which are not declared—this is an inconsistency the user should clarify.
Persistence & Privilege: okThe skill is user-invocable and not forced always-on (always: false). It does not request elevated system privileges, nor does it claim to modify other skills or global agent settings.