Weather 1.0.0
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: weather-1-0-0 Version: 1.0.0 The skill bundle is benign. It uses `curl` to fetch weather data from legitimate public APIs (`wttr.in` and `api.open-meteo.com`), as explicitly stated in the `SKILL.md` description and metadata. One example command saves a PNG image to `/tmp/weather.png`, which is a standard and non-malicious operation for a utility skill. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A city name, airport code, or coordinates used in a query may be visible to the external weather service.
The skill sends location coordinates to an external weather provider; this is expected for the purpose, but users should understand the data leaves their environment.
curl -s "https://api.open-meteo.com/v1/forecast?latitude=51.5&longitude=-0.12¤t_weather=true"
Use only locations you are comfortable sending to the weather provider, and avoid sharing unnecessarily precise coordinates if approximate weather is sufficient.
A network observer could potentially see or modify a wttr.in query or response if it is made over unencrypted HTTP.
The primary wttr.in examples use curl with a scheme-less URL; if run as written, this may default to plaintext HTTP rather than explicitly using HTTPS.
curl -s "wttr.in/London?format=3"
Prefer explicit HTTPS URLs, such as `https://wttr.in/London?format=3`, when using the wttr.in examples.