Back to skill
Skillv1.0.0
ClawScan security
Yr Weather · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 5:26 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a simple MET Norway (yr.no) weather client: it makes direct requests to api.met.no for forecasts, needs lat/lon, and demands no secrets or unusual privileges.
- Guidance
- This skill appears to do exactly what it says: call MET Norway's locationforecast API and format results. It does make outbound HTTP requests to api.met.no (no auth required) so ensure you are comfortable with that. The bundle includes the Python scripts and tests; no secrets are requested. If you plan to run pip install from the GitHub URL mentioned in the README/SKILL.md, review that external repo before installing system-wide. Also ensure the agent supplies lat/lon (there are no defaults) and substitutes the {baseDir} placeholder when invoking the provided CLI scripts.
Review Dimensions
- Purpose & Capability
- okName/description claim (fetch forecasts from MET/yr.no) matches the included code: scripts/yr_service.py calls https://api.met.no/weatherapi/locationforecast/2.0/compact. No unrelated credentials, binaries, or services are requested.
- Instruction Scope
- okSKILL.md instructs running the bundled Python CLIs (weather.py, tomorrow.py) with explicit lat/lon and points to tests that mock network calls. Instructions do not ask the agent to read unrelated files, environment variables, or transmit data to unexpected endpoints. Minor note: SKILL.md uses a {baseDir} placeholder which the agent must substitute when running commands.
- Install Mechanism
- okThe registry entry has no install spec (lowest-risk). The bundle includes Python source and a pyproject.toml; there is an optional README note showing how to pip-install the upstream GitHub repo (a standard GitHub URL). No downloads from obscure hosts, no extracted archives, and runtime behavior is limited to HTTP GET against MET's API.
- Credentials
- okThe skill requires no environment variables or credentials. It sets a benign User-Agent header and only performs unauthenticated calls to MET Norway. There are no requests for unrelated secrets or config paths.
- Persistence & Privilege
- okThe skill does not request persistent or elevated privileges (always: false). It does not modify other skills or system configuration and does not store credentials.