Weather Digest
PassAudited by ClawScan on May 1, 2026.
Overview
Weather Digest appears to be a straightforward NOAA weather-report generator, with only user-directed setup, scheduling, and output-sharing items to review before use.
This looks reasonable for generating NOAA-based weather digests. Before installing, use a virtual environment, consider pinning dependencies, customize any automation paths or recipients, only enable cron/heartbeat/Slack posting if you want recurring sharing, and sanitize generated HTML before publishing it broadly.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future dependency version could change behavior or introduce a vulnerability even though the dependency itself is purpose-aligned.
The dependency is expected for the NOAA HTTP client, but it is not pinned to an exact version, so future installs may resolve to newer package versions.
requests>=2.31.0
Install in a virtual environment and consider pinning an exact reviewed version of requests for repeatable installs.
If enabled, the skill can keep running every day and writing outputs or notifications without a fresh manual command each time.
The automation guide shows how to run the digest on a daily schedule using cron, with other sections also describing heartbeat and LaunchAgent scheduling.
0 6 * * * /Users/dannyvett/bin/run-weather-digest.sh >> /Users/dannyvett/logs/weather-digest.log 2>&1
Only enable the scheduled recipes if you want recurring execution, and replace the sample user-specific paths and recipients with your own reviewed values.
Weather digest contents, including configured locations, could be sent outside the local machine if the webhook automation is used.
The optional Slack recipe posts digest content to a webhook, which can share configured location/weather information with an external workspace.
curl -X POST -H 'Content-type: application/json' ... $SLACK_WEBHOOK_URL
Use only trusted webhook URLs, protect the webhook secret, and avoid posting precise personal locations unless that is intended.
If unexpected markup appears in configured or fetched text and the generated HTML is published or embedded, that markup could carry into the published page or email.
The HTML output interpolates configured names and NOAA alert fields directly into HTML; this is useful for publishing but does not show HTML escaping in the provided snippet.
f"<section class=\"card\"><h2>{report['display_name']}</h2>{city_meta}" ... f"<div class=\"headline\">{headline}</div>{instructions_html}</div>"Keep configuration inputs trusted and add HTML escaping before using generated HTML in public pages, CMS embeds, or broad email distribution.