Skillv1.0.0

ClawScan security

BaZi Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 11, 2026, 4:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a legitimate BaZi calculator and doesn't try to exfiltrate data, but there is a coherence issue: the included Python code depends on the third‑party package 'lunar_python' while the skill provides no install instructions or declared dependency, which could require the agent or user to pull external code at runtime.
Guidance: This skill appears to do what it says: compute Four Pillars and DaYun from a trusted reference point. Before installing or running it, note two practical concerns: (1) the Python script imports 'lunar_python' but the skill does not declare or install that dependency — you will need to install it yourself (e.g., pip install lunar_python) or ensure your runtime provides it; review the package source (PyPI project) before installing. (2) The accuracy depends entirely on the reference anchor JSON you supply; verify anchors against a trusted almanac for production/professional use. If you will run the code in an environment with restricted network access or strict supply-chain rules, treat the missing dependency as a deployment risk and inspect/approve the dependency before allowing automated install.

Purpose & Capability: okName, description, SKILL.md, reference JSON files, and the single Python script all align with a BaZi / Four Pillars calculator. The inputs and outputs described in SKILL.md match what scripts/calc_bazi.py implements.
Instruction Scope: okRuntime instructions are narrowly scoped to reading a reference JSON and computing pillars and DaYun. The SKILL.md does not instruct reading unrelated files, sending data externally, or accessing secrets beyond the provided reference file.
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk. However, the code imports the third‑party Python package 'lunar_python' but the skill does not declare this dependency or provide an install step. That mismatch means someone (or the runtime) may need to fetch and install 'lunar_python' from PyPI (or elsewhere) to run the tool; pulling that dependency is an external action not documented by the skill.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. All file reads are limited to user-supplied reference JSON files included in the skill; there is no sign of access to unrelated secrets.
Persistence & Privilege: okSkill flags are default (always:false; agent invocation allowed). The skill does not request persistent or system-wide privileges and does not modify other skills or global agent configuration.