Back to skill
Skillv1.0.0
ClawScan security
Weather Check · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 1:18 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and behavior are coherent with a simple weather lookup service that issues HTTP POSTs to an external API; it does not request extra credentials or perform unexpected local actions.
- Guidance
- This skill simply posts location queries to https://weather.agentutil.net and returns the service's response. Before installing, consider whether you trust that domain and its privacy claims: queries (including coordinates) will be sent to that third party and may be logged. The SKILL.md mentions a paid crypto-based tier — confirm you understand how billing would be handled if you plan to exceed the free quota. If you need stronger privacy guarantees, prefer a weather API you control or one from a well-known provider and require explicit authentication rather than an unauthenticated endpoint.
Review Dimensions
- Purpose & Capability
- okName/description (weather and forecasts) match the runtime instructions which call a remote weather API (https://weather.agentutil.net). There are no unrelated requirements (no binaries, env vars, or installs). Note: registry metadata listed no homepage but SKILL.md includes one — minor metadata inconsistency.
- Instruction Scope
- noteSKILL.md instructs the agent to POST location data (name or lat/lon) to the external service and to parse responses. This is expected for a weather skill, but it does mean user-provided locations are transmitted to a third-party endpoint; the agent may also perform outbound network calls whenever the skill is used.
- Install Mechanism
- okNo install spec and no code files — instruction-only. Nothing is written to disk or installed by the skill itself.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The SKILL.md mentions a paid tier (crypto payment) but does not require any payment credentials from the agent, which is unusual but not inconsistent.
- Persistence & Privilege
- okalways: false and default agent invocation rules apply. The skill does not request permanent presence or privileges over other skills or system config.