Tafu BaZi
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears coherent and purpose-aligned, but it uses a paid Tafu API key and sends birth details to Tafu when the user asks for readings.
Before installing, confirm you want your agent to use your Tafu API key and send requested birth details to Tafu for paid calculations/readings. Keep the API key private, do not change the API base URL unless you trust it, and delete temporary payload files if they contain sensitive birth information.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key or base URL is misconfigured, requests could use paid credits or send the credential to an unintended endpoint.
The skill requires an account API key and allows a configurable API base URL; this is disclosed and expected for Tafu, but the key authorizes paid API access.
The host should inject `TAFU_API_KEY` from `skills.entries.tafu_bazi.apiKey`. Optional override: `skills.entries.tafu_bazi.env.TAFU_API_BASE_URL`.
Configure the key only in the skill’s secure settings, keep the base URL at the trusted Tafu endpoint unless intentionally testing, and monitor Tafu credits.
A user’s birth date, time, gender, and location may be transmitted to Tafu for analysis, which is core to the skill but still personal information.
The skill collects personal birth details specifically so it can send them to Tafu API endpoints for charting and readings.
For best accuracy, collect: date, time, gender, birthplace or current city-level location
Use the skill only when the user understands that these details will be sent to Tafu, and avoid including unnecessary personal information.
An agent could call non-documented Tafu API paths if prompted or misdirected, potentially using credits or account capabilities beyond the intended workflow.
The helper is a raw curl wrapper that takes the HTTP method and path as arguments. This is useful for the documented API workflow but broader than a single fixed endpoint.
METHOD="$1"
PATH_INPUT="$2"
...
exec curl -sS --fail-with-body \
-X "$METHOD" ... "$URL"Keep calls limited to the documented Tafu endpoints and require clear user intent before paid or account-impacting requests.