命理大师
PassAudited by ClawScan on May 2, 2026.
Overview
The available artifacts show a disclosed, mostly local fortune-telling skill, with noteworthy optional API-key use, local profile storage, and opt-in scheduled pushes that users should review.
Install only if you are comfortable storing astrology profile data locally. Leave daily push disabled unless you want scheduled messages, and use the documented off/delete commands when finished. If using the optional LLM divination feature, use a separate limited API key and a trusted endpoint. Several source files were omitted/truncated in the supplied review context, so inspect the full package if you need high assurance.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may see an unrelated identifier and should verify this is the intended skill before installing.
The registry slug does not match the fortune-telling skill purpose, which could confuse users about what they are installing even though the visible descriptions are otherwise consistent.
"slug": "university-applications", "name": "fortune-master-ultimate"
The publisher should align the slug with the skill name/purpose; users should rely on the name, description, and file contents rather than the slug alone.
If enabled, the user’s API key may authorize LLM usage and incur account charges at the configured provider.
The optional liuyao HTML feature can use a user-supplied LLM API key. This is disclosed and user-initiated, but API keys are sensitive credentials.
credential: "user-provided LLM API key, entered at runtime, stored in browser localStorage only"
Use a separate limited-scope API key, only enter it in a trusted local copy of the HTML page, and clear browser localStorage if you stop using the feature.
Personal and family birth/profile information may remain on the local filesystem until the user deletes it.
The profile template includes birth details, optional family-member details, preferences, and an interaction log that can be retained locally.
"birthDate", "birthTime", "birthPlace", "family", "interactionLog"
Only save information needed for the reading, avoid unnecessary family-member data, and use the documented profile delete/edit commands to clean up.
If enabled, the skill may continue producing daily fortune messages until the scheduled push is disabled.
The skill can register scheduled daily push tasks through the OpenClaw runtime, which is a persistence mechanism. The artifacts state it is opt-in and removable.
只有用户显式运行 `push-toggle.js on` 后才会注册定时任务... `__OPENCLAW_CRON_ADD__` / `__OPENCLAW_CRON_RM__`
Keep push disabled unless wanted, check status with the documented command, and run the off command to remove scheduled pushes.