Back to skill
Skillv1.0.3
ClawScan security
Weather Plus Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 3:37 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it scrapes China Weather Net pages (or uses wttr.in) and the included Python script and instructions match the stated purpose without requesting extra credentials or unusual installs.
- Guidance
- This skill appears coherent and reasonably safe for its purpose. Points to consider before installing: (1) The script fetches pages from http://www.weather.com.cn (note: it uses plain HTTP in code) — consider switching to HTTPS to avoid network interception if you care about integrity; (2) The implementation scrapes HTML with regex, so it may break if the site structure changes; (3) Avoid high-frequency automated queries to prevent rate limits or IP blocking; (4) The skill does not request credentials or access sensitive files, and it does not install software, but it does perform outbound web requests — ensure your environment permits that. If you need stronger guarantees, ask the author to change the fetch URL to HTTPS and to add error handling / retries for transient network issues.
Review Dimensions
- Purpose & Capability
- okName/description (Chinese city weather, clothing/life-index suggestions) match the files and runtime instructions. The only network targets are weather.com.cn and optionally wttr.in, which are appropriate for the stated purpose.
- Instruction Scope
- okSKILL.md limits actions to fetching/parsing weather pages (web_fetch, curl, or the included Python script). It does not instruct reading unrelated files, accessing other services, or exfiltrating secrets. The workflow and example commands are specific and scoped to weather queries.
- Install Mechanism
- okNo install spec; this is instruction-only plus an auxiliary Python script. Nothing is downloaded from external/untrusted URLs and no archives are extracted.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The Python script runs locally and only performs HTTP requests to the stated data source.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system configuration. Autonomous invocation is allowed by platform default but this skill's scope is limited and does not expand privileges.