Yinian Zwds

一念紫微斗数 (Yinian Zi Wei Dou Shu) — 专业AI紫微斗数排盘解盘系统。三派合一：三合派/飞星派/占验派。触发词：紫微斗数、紫微、命盘、排盘、ZWDS、ziwei、Purple Star

This skill appears to implement a real Zi Wei Dou Shu (astrology) system and includes code to build prompts and call external LLM APIs, which is consistent with the description — but there are important mismatches you should consider before installing or running it: - Undeclared secret access: The code will look for DEEPSEEK_API_KEY and OPENAI_API_KEY and will attempt to read your OpenClaw config at ~/.openclaw/openclaw.json to extract keys. The registry metadata did not declare these env vars or config paths. If you have sensitive keys in those locations, the skill will use them to call external services. - Network behavior: Running the provided scripts will send chart data and AI prompts (including users' birth info) to external AI endpoints (DeepSeek/OpenAI). This is expected for LLM-powered output, but you should be aware data will leave your machine when these scripts are executed. - Extra components not documented in SKILL.md: The package includes an API server (FastAPI), a Telegram handler, and scheduled push logic. These components could expose data or start outgoing connections if run; SKILL.md primarily documents interactive use but does not warn about these modules. Recommendations: 1. Inspect the code yourself or have someone you trust review ai_engine.py and any network call before running. Verify exactly what data is sent in requests. 2. If you want to try it, run it in an isolated environment (VM or container) without sensitive keys present. Provide only ephemeral/test API keys if needed. 3. Prefer to run the calculation-only parts (zwds_calc.generate_astrolabe) locally first to validate outputs; avoid running scripts that call call_llm or start api_app unless you intend those behaviors. 4. Ask the publisher to update SKILL.md and registry metadata to declare required env vars/config paths and to explicitly document the network calls and optional server components. If you want, I can list the exact lines/files that read environment variables or the OpenClaw config and the functions that perform network requests so you can inspect them more quickly.

Type: OpenClaw Skill Name: yinian-zwds Version: 2.1.0 The skill bundle is classified as suspicious primarily because `scripts/ai_engine.py` directly accesses and parses the global OpenClaw configuration file (`~/.openclaw/openclaw.json`) to extract DeepSeek and OpenAI API keys. While this is intended to facilitate the skill's astrology interpretation features, accessing the platform's sensitive core configuration file is an over-privileged behavior that bypasses standard environment variable usage. Additionally, `SKILL.md` provides instructions for the agent to execute complex Python logic via shell commands (`python3 -c`), which creates a potential surface for command injection if birth dates or names are not strictly sanitized. No evidence of intentional data exfiltration to unauthorized third-party servers was found.