ClawHub
Back to skill
v0.0.1

Yandex Weather Smarthome

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 3:34 PM.

Analysis

This skill appears to do what it says: it runs a small local Python script to fetch Yandex Weather using your API key and configured home coordinates.

GuidanceBefore installing, make sure you are comfortable providing a Yandex Weather API key and configured home coordinates. The artifacts show no suspicious behavior beyond this expected credential and location data use.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
weather.py
key = getenv_required("YANDEX_WEATHER_KEY") ... "X-Yandex-Weather-Key": key

The skill uses a Yandex Weather API key from the environment to authenticate requests. This is expected for the stated service, and the artifacts do not show hardcoding, file storage, or unrelated use of the key.

User impactThe skill can use your Yandex Weather credential when weather is requested, which could consume quota or depend on the privileges of that key.
RecommendationUse a dedicated or least-privileged Yandex Weather key if available, and keep it in environment variables rather than files.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
weather.py
API_URL = "https://api.weather.yandex.ru/v2/forecast" ... "lat": lat, "lon": lon

The script sends configured latitude and longitude to the external Yandex Weather API. This is clearly aligned with the weather purpose, but it is still a home-location data flow to a third-party provider.

User impactYour configured home coordinates are shared with Yandex Weather to retrieve the forecast.
RecommendationOnly install if you are comfortable sharing those coordinates with Yandex Weather; consider using approximate coordinates if exact home location is not needed.