Back to skill
Skillv1.0.0
VirusTotal security
Open-Meteo Weather + Weather Strip · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:52 AM
- Hash
- 70409f82e977d884266c7886b82299760361867a8adf34669c19c3a71accf14d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: open-meteo Version: 1.0.0 The skill bundle is classified as suspicious due to several vulnerabilities. The `scripts/weather.sh` script is susceptible to shell injection, as it directly interpolates command-line arguments (e.g., latitude, longitude) into a `curl` command without sanitization, potentially allowing arbitrary command execution if the agent passes untrusted user input. Additionally, `scripts/weather_strip.py` has a potential Cross-Site Scripting (XSS) vulnerability where `loc["name"]` from the `--schedule` argument is directly embedded into the generated HTML's JavaScript data, and a potential Server-Side Request Forgery (SSRF) vulnerability due to direct interpolation of `lat`/`lon` into `urllib.request.urlopen` calls. While the skill's stated purpose is benign, these flaws could be exploited by a malicious actor controlling the agent's input.
- External report
- View on VirusTotal