ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

hefengweather

v1.0.0

查询指定城市的实时天气、逐小时、每日预报及分钟级降水,需配置和风天气API Key后使用。

0· 70·1 current·1 all-time
by@aaronjager92
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the Python script are coherent: they implement a HeFeng (qweather) weather query client and only call qweather endpoints. However the registry metadata declares no required env vars while the skill explicitly requires HEFENG_WEATHER_API_KEY — this mismatch is unexpected and should be corrected.
Instruction Scope
Runtime instructions and the script are narrowly scoped: read API key from env or local config file, call devapi.qweather.com endpoints, format and print JSON/text. The SKILL.md does not instruct reading unrelated system files or sending data to other endpoints.
Install Mechanism
Instruction-only skill with a small Python script and a single dependency (requests). No install spec or external downloads; nothing being extracted or executed from third-party URLs.
!
Credentials
The skill requires a single API key (HEFENG_WEATHER_API_KEY) to function, which is proportionate for a weather client. The concern is that the package/registry metadata did not declare this required environment variable — that omission could lead to unexpected permission/consent behaviour in automated installs.
Persistence & Privilege
No elevated privileges requested, not always-enabled, and the skill does not modify other skills or system-wide agent configs. It only reads a local config file or environment variable as described.
What to consider before installing
This skill is functionally a simple HeFeng (qweather) weather client and the code appears not to exfiltrate data beyond calls to devapi.qweather.com. However, the registry metadata neglects to declare the required HEFENG_WEATHER_API_KEY environment variable even though SKILL.md and the script require it. Before installing: (1) confirm you are comfortable providing your HeFeng API key to this skill and store the key securely (use environment variable rather than committing to files), (2) review the script yourself to verify only qweather endpoints are called, (3) prefer running the script locally first (python3 scripts/weather_query.py "城市" --type now) to observe behavior, and (4) ask the publisher/registry to update metadata to explicitly list HEFENG_WEATHER_API_KEY so automated permission systems can surface that requirement. If you need higher assurance, request a signed/verified package or a maintainer statement that no other network endpoints are used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4ajx68dz2v7vxbvm6psf1x83wg8k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments