Skillv1.0.0

ClawScan security

汲取百家所长的最强算命大师 - Zhouyi - Yijing - Zhanbu - Bagua - Xuanxue -Shushu - Witch - Fortune Teller _占卜_周易_易经_八卦_玄学_术数 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 12:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with a local I Ching / Zhouyi divination tool — it asks only for node, includes local data and scripts, and does not request unrelated credentials or network installs.
Guidance: This skill appears to be a local, self-contained Zhouyi/I Ching tool: it bundles the canonical text, a JS CLI, a small web UI, and a Python data-builder. Key points to consider before installing: 1) It requires Node.js to run the CLI and tests — no cloud credentials or network installs are requested. 2) The source text is included (references/zhouyi-benjing-source.txt) and appears to be from Project Gutenberg; confirm you are comfortable with that license and local storage of the text. 3) The publish script and tests operate on local files (zipping, running node), so run the test suite locally (npm test / node tests/*) to verify behavior in your environment. 4) If you prefer to avoid any autonomous skill invocation by agents, you can disable model invocation for skills or not grant this skill automatic usage in your agent settings. Overall this package is internally consistent and matches its stated purpose; review and run the included tests locally if you want higher assurance.

Review Dimensions

Purpose & Capability: okThe name/description match the code and SKILL.md: local I Ching data, lookup, casting, and a small 'encyclopedia' router. Required binary is only node, which is appropriate for the included JavaScript files. There are no unrelated credentials, binaries, or config paths.
Instruction Scope: okSKILL.md instructs running the included node and python scripts and opening the local index.html. Runtime instructions reference only local files (scripts, data, references) and test commands; they do not read environment variables, contact external endpoints, or instruct exfiltration of data.
Install Mechanism: okThere is no external install spec — the package is instruction-and-code-only and runs with an existing node runtime. All files are bundled locally; no remote downloads, URLs, or archive extraction occur in the provided scripts.
Credentials: okNo env vars, API keys, or credentials are required. The skill reads local data files included in the package (Project Gutenberg source text copy) which aligns with its purpose.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or system-wide configuration. disable-model-invocation is false (normal), so the usual autonomy controls apply.