ClawHub
Back to skill
v1.0.0

Solar Weather Monitor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:54 AM.

Analysis

This appears to be a benign public NOAA space-weather checker that runs a local Python helper and contacts NOAA for data.

GuidanceBefore installing, be comfortable running the included Python script from an unknown source and allowing outbound HTTPS requests to services.swpc.noaa.gov. The provided artifacts do not show credential use, persistence, file modification, or data exfiltration.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The registry metadata does not provide an external source or homepage for provenance verification, although the bundled code is visible and purpose-aligned.

User impactUsers must rely on the bundled artifacts rather than an independently verifiable project source.
RecommendationInstall only if comfortable with the bundled script and publisher; prefer packages with a verifiable source or homepage when available.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
python3 solar-weather.py current

The documented usage requires executing the included Python helper locally; this is transparent and user-directed, not hidden or automatic.

User impactUsing the skill runs local Python code on the user's machine.
RecommendationRun it as a normal user, not with elevated privileges, and review the included script if the unknown source is a concern.
Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
solar-weather.py
API_BASE = "https://services.swpc.noaa.gov"; urllib.request.urlopen(url, timeout=10)

The script performs outbound HTTPS API requests to NOAA SWPC endpoints, matching the stated purpose and not showing local data or credentials being sent.

User impactCommands will contact NOAA's public service to retrieve real-time space-weather data.
RecommendationAllow this network access only if NOAA SWPC data retrieval is expected; no extra credentials are needed.