ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ThermikBuddy

v1.0.3

Segelflug- und Thermikvorhersage mit Thermik-Score (0-10). Nutze diesen Skill wenn der User nach Segelflugwetter, Thermik, Streckenflugbedingungen, Flugwette...

2· 628·1 current·2 all-time
by@achimace
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included code: the scripts fetch weather from Open‑Meteo, optionally scrape DHV, compute a Thermik score and emit JSON — that aligns with the stated purpose. However the skill declares no required binaries while the runtime instructions and included scripts explicitly call python3; the lack of a declared python runtime is an omission/inconsistency.
Instruction Scope
SKILL.md instructs only to run the provided Python scripts and to present region choices to the user. The scripts themselves perform network calls (Open‑Meteo API, DHV website), parse data, and compute scores. They do not read arbitrary local files or request environment variables beyond none declared. One minor concern: DHV scraping uses fragile regex-based HTML extraction (no HTML parser), which is brittle but not a data-exfiltration issue.
Install Mechanism
There is no install spec and no external download/install step — the skill is delivered as code files that the agent will run. This is lower risk than fetching arbitrary binaries. Still, running bundled scripts means code will execute on the host — review the code before running.
Credentials
The skill requests no environment variables or credentials and only talks to expected endpoints (api.open-meteo.com and www.dhv.de). There are no unrelated credential requests or hidden endpoints in the code.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or persist credentials. It runs on invocation and prints results to stdout/stderr as expected.
What to consider before installing
This skill mostly looks like what it says: a Python-based Thermik forecast engine that fetches Open‑Meteo data and (optionally) scrapes DHV text to adjust scores. Before installing or running it: 1) Ensure you or the environment provides python3 on PATH (SKILL.md expects 'python3' but the skill declares no required binaries). 2) Review the included .py files yourself (they are present in the bundle) — they perform outbound network calls to api.open-meteo.com and https://www.dhv.de and emit JSON; there is no credential exfiltration, but code execution is required. 3) Note the metadata/version inconsistencies (SKILL.md v2.0.0 vs _meta/origin showing 1.0.2/1.0.3) — ask the publisher which version is authoritative. 4) If you will run this in an automated agent, run it first in a sandbox or restricted environment and check its network activity. 5) If you depend on accuracy for flight decisions, treat this as advisory and cross-check with official sources (DWD, DHV, SkySight) as suggested by the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fytp3emebhd9cj4wq486xdn81rm3k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments