iaskaster
ReviewAudited by ClawScan on May 10, 2026.
Overview
This mostly matches a paid Bazi report integration, but it stores local login tokens and includes a hardcoded third-party recharge/payment link that is not clearly explained.
Use this skill only if you trust the iaskaster provider with your phone/email login and birth information. Be especially cautious with the recharge link: verify the payment domain, merchant, amount, and that it will credit your account before paying. After use, consider deleting the local .iaskaster-token, .iaskaster-uid, and .iaskaster-session files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be routed to a payment page that is not obviously part of the declared iaskaster API flow.
The recharge flow contains a static third-party payment URL with a fixed amount and merchant/payment gateway details. The artifacts do not clearly explain this payment processor, merchant, or how the payment is tied to the user's iaskaster account.
var T="https://qr.yisuke.com/public/qr/dynamicPay.html?payUrl=https%3A%2F%2Fqr.shouqianba.com...&payAmount=1&totalAmount=1&shopName=..."
Do not pay through the recharge link unless you independently verify the merchant, amount, and account crediting. The skill should disclose the payment domains and fetch account-specific recharge links from the authenticated service.
Anyone with access to the token file may be able to access the user's iaskaster account data such as reports, balance, or quota.
The skill stores and reads a local token file, then uses that token for authenticated API requests. This is expected for login, but it is persistent account access.
b=process.env.IASKASTER_TOKEN_FILE||".iaskaster-token"; function S(){return _(b)?k(b,"utf-8").trim():null} ... r.Authorization=`Bearer ${a}`Protect or delete .iaskaster-token, .iaskaster-uid, and .iaskaster-session when no longer needed. The skill should document token storage and use restrictive file permissions.
Personal birth and identity details are shared with the external provider to generate the report.
The skill sends name, gender, birth date/time, and location-derived birth information to the external fortune-report API. This is central to the service, but it is sensitive personal data.
let t={name:e.name,gender:e.gender,birthYear:e.birthYear,birthMonth:e.birthMonth,birthDay:e.birthDay,birthHour:e.birthHour,birthMinute:e.birthMinute,...}; ... g("/api/v1/fortune/generate",{method:"POST",body:JSON.stringify(t)})Only provide information you are comfortable sharing with the provider, and review the provider's privacy and retention practices.
Installation can pull code from npm and update the local OpenClaw skill configuration.
The manual installer fetches an npm dependency during installation. This is common for a Node-based skill, but it depends on external package provenance and is not represented as a formal registry install spec.
npm install puppeteer-core
Review install.sh before running it and install only in an environment where npm dependency installation is acceptable.