Weather Digest
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: weather-digest Version: 1.0.0 The OpenClaw AgentSkill 'weather-digest' is designed to fetch and format weather data from the public NOAA/NWS API. The Python script (`weather_digest.py`) makes legitimate HTTP requests to `api.weather.gov` and processes the returned JSON. It reads a user-provided configuration file (`config.json`) and writes output files (Markdown, HTML, JSON) to specified paths. While the ability to read/write arbitrary local files via command-line arguments (`--config`, `--output`, `--html`, `--json`) could be a vulnerability in a poorly secured execution environment, the skill itself does not demonstrate malicious intent; its `SKILL.md` instructions provide benign usage examples. The `automation.md` file offers legitimate recipes for users to automate the skill, including cron jobs and Slack notifications, which are standard integrations and not indicative of malice. No evidence of data exfiltration, unauthorized persistence, or prompt injection against the agent was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future dependency version could change behavior or introduce a vulnerability even though the dependency itself is purpose-aligned.
The dependency is expected for the NOAA HTTP client, but it is not pinned to an exact version, so future installs may resolve to newer package versions.
requests>=2.31.0
Install in a virtual environment and consider pinning an exact reviewed version of requests for repeatable installs.
If enabled, the skill can keep running every day and writing outputs or notifications without a fresh manual command each time.
The automation guide shows how to run the digest on a daily schedule using cron, with other sections also describing heartbeat and LaunchAgent scheduling.
0 6 * * * /Users/dannyvett/bin/run-weather-digest.sh >> /Users/dannyvett/logs/weather-digest.log 2>&1
Only enable the scheduled recipes if you want recurring execution, and replace the sample user-specific paths and recipients with your own reviewed values.
Weather digest contents, including configured locations, could be sent outside the local machine if the webhook automation is used.
The optional Slack recipe posts digest content to a webhook, which can share configured location/weather information with an external workspace.
curl -X POST -H 'Content-type: application/json' ... $SLACK_WEBHOOK_URL
Use only trusted webhook URLs, protect the webhook secret, and avoid posting precise personal locations unless that is intended.
If unexpected markup appears in configured or fetched text and the generated HTML is published or embedded, that markup could carry into the published page or email.
The HTML output interpolates configured names and NOAA alert fields directly into HTML; this is useful for publishing but does not show HTML escaping in the provided snippet.
f"<section class=\"card\"><h2>{report['display_name']}</h2>{city_meta}" ... f"<div class=\"headline\">{headline}</div>{instructions_html}</div>"Keep configuration inputs trusted and add HTML escaping before using generated HTML in public pages, CMS embeds, or broad email distribution.