qweather
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a request fails and the agent shows or stores the error output, your QWeather API key could be exposed in the transcript or logs.
The request params include the API key from scripts/lib/commands.ts (`params: { ...params, key: context.apiKey }`), so HTTP or JSON parse failures can print a full URL containing QWEATHER_API_KEY to stderr or logs.
const urlWithParams = buildUrlWithParams(request.url, request.params); ... `HTTP request failed with status ${response.status} for ${urlWithParams}`Use a dedicated low-privilege QWeather key, avoid sharing raw error output, and ask the maintainer to redact the `key` parameter before including URLs in error messages.
The skill may fail to run unless Bun is already installed, and users may need to verify/install that runtime themselves.
The skill requires the Bun runtime to execute the provided TypeScript script, but the registry requirements say there are no required binaries. This is a declaration gap rather than hidden installation behavior.
Run `bun scripts/weather.ts --help` in this skill directory.
Declare Bun as a required binary and document the supported runtime version.