by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and documentation are internally consistent for computing 八字 by calling an external API, but it transmits personal data to an unknown HTTP endpoint (no TLS) and omits dependency declaration — this raises privacy and transport-security concerns.
评估建议
This skill appears to do what it says, but exercise caution before using it with real personal data. It POSTs name/gender/date-of-birth to http://api.bagezi.top (note: plain HTTP, not HTTPS), so unencrypted interception is possible and the recipient is an unknown third party. Before installing or running: (1) avoid sending sensitive/real PII unless you trust the service; (2) prefer an HTTPS endpoint — contact the author or verify api.bagezi.top supports TLS; (3) run the script in an isolated env...详细分析 ▾
✓ 用途与能力
Name, description, SKILL.md and paipan.py all align: the tool collects name/gender/birthday and POSTs them to api.bagezi.top to compute 八字. There are no unrelated credentials, binaries, or config paths requested.
⚠ 指令范围
The runtime sends PII (name, gender, birthday) to an external endpoint (http://api.bagezi.top/api/paipan). The SKILL.md exposes that endpoint. The code uses plain HTTP (no HTTPS), meaning data is sent unencrypted in transit — a privacy/transport-security risk. The instructions do not access other system files or env vars, but they do direct personal data off-host.
ℹ 安装机制
No install spec is provided (instruction-only), so nothing is written to disk by an installer. However, paipan.py depends on the Python 'requests' package but the skill does not declare or install this dependency, which may cause runtime failures; there are no high-risk downloads or archive extractions.
✓ 凭证需求
The skill requests no environment variables, credentials, or config paths — that is proportionate. The primary risk is that it transmits user-supplied personal data to a third-party service without requiring explicit auth from the user.
✓ 持久化与权限
The skill is not forced-always nor trying to persist or modify other skill/system configs. It is user-invocable and can be invoked autonomously (platform default), which is expected and not by itself a red flag.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/3
更新凡心八字在线排盘后端API的域名地址
● 无害
安装命令
点击复制官方npx clawhub@latest install bazi
镜像加速npx clawhub@latest install bazi --registry https://cn.longxiaskill.com