Back to skill
Skillv1.0.0
ClawScan security
Open-Meteo Weather + Weather Strip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 4:08 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a weather/visualization tool that calls the Open‑Meteo API and generates an SVG/HTML; it does not request credentials or contact unexpected endpoints.
- Guidance
- This skill appears to do exactly what it claims: fetch weather from Open‑Meteo and render an SVG/HTML strip. Before installing or running: 1) Ensure you are comfortable with the skill writing output files when --output is used (check paths to avoid overwriting important files). 2) Confirm python3 and curl are available in the runtime environment. 3) If you plan to let an agent call the skill autonomously, be aware it can run the scripts and write files without further prompts — limit agent permissions or run in a sandbox if you want stricter containment. If you need extra assurance, review the included scripts line-by-line (they only call Open‑Meteo endpoints and use standard libraries).
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts: weather.sh fetches Open‑Meteo JSON and weather_strip.py builds an SVG/HTML weather strip. There are no unrelated credentials, binaries, or config paths required.
- Instruction Scope
- noteSKILL.md directs the agent to run the included scripts and to embed the generated HTML in a digest. The scripts only fetch data from Open‑Meteo (and the SKILL.md shows an example geocoding URL to open-meteo's geocoding API). Note: using --output will write files to arbitrary paths (examples reference a home directory), so verify output paths before running to avoid accidental overwrites.
- Install Mechanism
- okNo install spec is provided (instruction-only). The code uses standard tools (curl in the shell script and Python's stdlib in the Python script). No external packages or downloads are installed by the skill.
- Credentials
- okThe skill requires no environment variables, API keys, or secrets. It only contacts api.open-meteo.com (and the geocoding API on open-meteo) which matches the declared purpose.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent system presence. It does not modify other skills' configs. Autonomous invocation is allowed by default (normal for skills).