Tafu BaZi
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key or base URL is misconfigured, requests could use paid credits or send the credential to an unintended endpoint.
The skill requires an account API key and allows a configurable API base URL; this is disclosed and expected for Tafu, but the key authorizes paid API access.
The host should inject `TAFU_API_KEY` from `skills.entries.tafu_bazi.apiKey`. Optional override: `skills.entries.tafu_bazi.env.TAFU_API_BASE_URL`.
Configure the key only in the skill’s secure settings, keep the base URL at the trusted Tafu endpoint unless intentionally testing, and monitor Tafu credits.
A user’s birth date, time, gender, and location may be transmitted to Tafu for analysis, which is core to the skill but still personal information.
The skill collects personal birth details specifically so it can send them to Tafu API endpoints for charting and readings.
For best accuracy, collect: date, time, gender, birthplace or current city-level location
Use the skill only when the user understands that these details will be sent to Tafu, and avoid including unnecessary personal information.
An agent could call non-documented Tafu API paths if prompted or misdirected, potentially using credits or account capabilities beyond the intended workflow.
The helper is a raw curl wrapper that takes the HTTP method and path as arguments. This is useful for the documented API workflow but broader than a single fixed endpoint.
METHOD="$1"
PATH_INPUT="$2"
...
exec curl -sS --fail-with-body \
-X "$METHOD" ... "$URL"Keep calls limited to the documented Tafu endpoints and require clear user intent before paid or account-impacting requests.