Skillv1.0.3

ClawScan security

ThermikBuddy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 10:28 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a coherent soaring-weather forecasting engine that contacts Open‑Meteo and DHV, but there are metadata and packaging inconsistencies (and an undeclared runtime dependency on python3) that you should verify before installing.
Guidance: This skill mostly looks like what it says: a Python-based Thermik forecast engine that fetches Open‑Meteo data and (optionally) scrapes DHV text to adjust scores. Before installing or running it: 1) Ensure you or the environment provides python3 on PATH (SKILL.md expects 'python3' but the skill declares no required binaries). 2) Review the included .py files yourself (they are present in the bundle) — they perform outbound network calls to api.open-meteo.com and https://www.dhv.de and emit JSON; there is no credential exfiltration, but code execution is required. 3) Note the metadata/version inconsistencies (SKILL.md v2.0.0 vs _meta/origin showing 1.0.2/1.0.3) — ask the publisher which version is authoritative. 4) If you will run this in an automated agent, run it first in a sandbox or restricted environment and check its network activity. 5) If you depend on accuracy for flight decisions, treat this as advisory and cross-check with official sources (DWD, DHV, SkySight) as suggested by the skill.

Review Dimensions

Purpose & Capability: noteThe name/description match the included code: the scripts fetch weather from Open‑Meteo, optionally scrape DHV, compute a Thermik score and emit JSON — that aligns with the stated purpose. However the skill declares no required binaries while the runtime instructions and included scripts explicitly call python3; the lack of a declared python runtime is an omission/inconsistency.
Instruction Scope: okSKILL.md instructs only to run the provided Python scripts and to present region choices to the user. The scripts themselves perform network calls (Open‑Meteo API, DHV website), parse data, and compute scores. They do not read arbitrary local files or request environment variables beyond none declared. One minor concern: DHV scraping uses fragile regex-based HTML extraction (no HTML parser), which is brittle but not a data-exfiltration issue.
Install Mechanism: okThere is no install spec and no external download/install step — the skill is delivered as code files that the agent will run. This is lower risk than fetching arbitrary binaries. Still, running bundled scripts means code will execute on the host — review the code before running.
Credentials: okThe skill requests no environment variables or credentials and only talks to expected endpoints (api.open-meteo.com and www.dhv.de). There are no unrelated credential requests or hidden endpoints in the code.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or persist credentials. It runs on invocation and prints results to stdout/stderr as expected.