Back to skill
Skillv1.0.0
ClawScan security
Weather Forecast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 8:59 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: it fetches weather from the Open‑Meteo API using a bundled Python script, requests no credentials, and has no install step — though the SKILL.md leaves geocoding unspecified.
- Guidance
- This skill appears safe and does what it says: it runs a local Python script that queries api.open-meteo.com and prints a summary and raw JSON. Before installing, consider: (1) SKILL.md mentions geocoding but provides no provider — the agent may call an external geocoding API (causing outbound network requests) or ask the user for coordinates, so if you have privacy concerns supply coordinates yourself; (2) the script will make outbound HTTPS requests to Open‑Meteo — ensure you’re comfortable with that domain; (3) no credentials or installs are required. If you need deterministic behavior, ask the maintainer to include or document the geocoding method or require the user to provide coordinates.
Review Dimensions
- Purpose & Capability
- okName/description match the included script and reference docs. The script calls only the Open‑Meteo API (a free, no‑auth service) and returns hourly temperature data as promised.
- Instruction Scope
- noteSKILL.md correctly describes extracting locations and running the bundled script, but it instructs the agent to 'use geocoding' for city names without providing an implementation or naming a provider — this leaves the agent discretion to call an external geocoding service or to ask the user for coordinates.
- Install Mechanism
- okNo install spec is present (instruction-only with a bundled script). The Python script uses only standard libraries and no external downloads or extracted archives are required.
- Credentials
- okThe skill declares no environment variables, no credentials, and no config paths. The Open‑Meteo API requires no authentication, so requested access appears proportionate.
- Persistence & Privilege
- okThe skill is not always‑on, does not request elevated privileges, and does not modify other skills or system settings. It runs as-needed and only performs outbound requests to the Open‑Meteo API when invoked.