hefengweather
ReviewAudited by ClawScan on May 10, 2026.
Overview
The weather-query code is mostly purpose-aligned, but the setup instructions contain a conflicting API-key source that could mislead users about which credential to use.
Before installing, verify that you get the API key only from the official QWeather/HeFeng site, not the conflicting minimaxi.com link. Use an environment variable when possible, keep any config.txt containing the key private, and install the requests dependency from a trusted Python environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could obtain or paste the wrong service's API key and then send it to the weather API, or fail setup because the key source is inconsistent.
The first-use instructions point users to a non-QWeather domain to obtain an API key, while the skill otherwise describes HeFeng/QWeather and the code calls QWeather endpoints. This conflicting credential guidance can mislead users into using or exposing the wrong provider key.
配置方式: 1. 获取 Key:https://www.minimaxi.com/
Use only the official QWeather/HeFeng key source, such as id.qweather.com, and ask the maintainer to remove or correct the minimaxi.com instruction.
Your weather API key may incur provider usage or billing, and it may be stored locally if you use config.txt.
The script reads a local API key and includes it in QWeather API requests. This is expected for the weather service, but it is credential use and the registry metadata declares no primary credential or required environment variable.
api_key = os.environ.get("HEFENG_WEATHER_API_KEY") ... url = f"{API_BASE_URL}{endpoint}?location={city_id}&key={api_key}"Prefer the environment variable, avoid committing config.txt or sharing it, and ensure the key is a QWeather key with only the permissions you need.
Different environments may install different package versions, and package installation should come from a trusted source.
The skill relies on a manually installed PyPI dependency without an install spec or pinned version. The dependency is expected for HTTP weather queries, but installation provenance and versioning are not constrained by the artifacts.
`requests` 库:`pip install requests`
Install dependencies from trusted PyPI or a controlled environment, and pin/review dependencies if deploying this skill broadly.