Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
wuxing-daily
v1.0.0老黄历Daily - 传统五行命理与每日运势工具。当用户询问生辰八字、五行属性、命格分析、每日运势提醒、黄历宜忌时使用此 Skill。功能包括:根据生日计算五行命理(金木水火土)、分析八字命格、生成每日运势与宜忌建议。
⭐ 0· 139·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description (五行命理、八字分析、农历转换、每日运势) matches the included Python scripts and markdown reference material. The requested capabilities are coherent with the provided code and do not require external credentials or unusual binaries.
Instruction Scope
SKILL.md instructs running scripts under a scripts/ directory (python3 scripts/calculate_wuxing.py, etc.) and copying a directory named 'wuxing-ziwei', but the actual manifest contains the Python files at top level (calculate_wuxing.py, daily_fortune.py, lunar_convert.py) and no scripts/ directory or 'wuxing-ziwei' folder. The SKILL.md also suggests creating a cron job using a 'cron add' command which is non-standard on many systems (typical usage is crontab or specific schedulers). These mismatches could cause an agent to run incorrect paths or attempt to create scheduled tasks in unexpected ways.
Install Mechanism
There is no install spec that downloads remote artifacts; this is an instruction-only skill bundle with local Python files. No network downloads, package installs, or archive extractions are present in the manifest.
Credentials
The skill declares no required environment variables, no credentials, and the code does not read environment secrets. The scripts only operate on user-provided birthdate/time input and internal static tables.
Persistence & Privilege
The SKILL.md suggests creating a persistent cron task to deliver daily reminders. While 'always: false' and autonomous invocation are normal, the instruction to add a scheduled system job is a persistence action that requires user/system permission. The skill itself does not automatically install or enable persistence in the code, but the documentation encourages creating one—users should verify and control that step manually.
What to consider before installing
This skill appears to implement the advertised wuxing/黄历 functionality and does not request secrets or perform network calls. However, before installing or letting an agent run it: 1) Verify file locations and adjust commands: SKILL.md references a scripts/ directory and a 'wuxing-ziwei' folder that do not match the shipped filenames—use the actual script paths (e.g., python3 calculate_wuxing.py). 2) Be cautious with the suggested cron command—'cron add' may not exist on your system; prefer creating crontab entries manually or via a known scheduler and confirm the exact command path to the script. 3) Inspect the code yourself (it's plain Python) to confirm you are comfortable running it locally; no obfuscated or network-exfiltration code was found. 4) Because the docs and filenames are inconsistent, expect small maintenance fixes (paths/names) before use. If you want higher assurance, ask the author for a corrected install/usage guide or update the SKILL.md to match the repository layout before enabling automated scheduling.Like a lobster shell, security has layers — review code before you run it.
latestvk97e6y37v3p1sjvmyct5pj5mb58368tp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.