Stormglass Surf & Ocean Data

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its surf-report purpose, but an error-handling path may expose the optional Google Geocoding API key in logs or error output.

This skill appears to perform the advertised surf-report function and does not show malicious behavior. Before installing, be aware that locations are sent to weather/geocoding providers and that the visible code should be fixed to redact the optional Google Geocoding API key from error messages. Avoid cron/logging in production until that is addressed, or use coordinate mode without a Google key.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

A failed Google geocoding request could expose the user's Google API key in terminal output, stderr, or logs.

Why it was flagged

The optional Google Geocoding API key is placed in the URL query string, and HTTP errors include the full URL in the exception message. If surfaced or logged, this can reveal the key.

Skill content

query = urllib.parse.urlencode({"address": address, "key": api_key}) ... raise ApiError(f"HTTP {exc.code} for {url}: {detail}")

Recommendation

Redact secret query parameters before constructing error messages, avoid logging full URLs containing keys, and rotate the Google key if it has already been exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Surf spot names or coordinates may be shared with Stormglass, Google, or OpenStreetMap/Nominatim during normal use.

Why it was flagged

The skill intentionally sends user-supplied locations or coordinates to external weather and geocoding services. This is disclosed and purpose-aligned.

Skill content

Weather point endpoint: `GET https://api.stormglass.io/v2/weather/point` ... Google geocoding endpoint ... OpenStreetMap fallback geocoding endpoint

Recommendation

Use direct coordinates if you want to avoid geocoding, avoid submitting sensitive private addresses, and review the providers' data policies if location privacy matters.

Info

#ASI10: Rogue Agents

What this means

If the user installs the cron job, surf reports and errors will be stored locally on a recurring schedule.

Why it was flagged

The skill documents optional recurring cron execution and local logging. This is user-directed rather than hidden background behavior.

Skill content

*/30 * * * * cd /home/dgorissen/code/stormglass-skill && python scripts/surf_report.py ... >> logs/surf_report.jsonl 2>> logs/surf_report.err

Recommendation

Only add cron entries intentionally, protect and rotate logs, and be cautious until credential redaction is fixed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

This limits confidence that all runtime paths were reviewed, even though the visible portions align with the stated purpose.

Why it was flagged

The supplied main CLI source artifact is marked as truncated, so the available review context does not include the entire implementation.

Skill content

"truncated": true

Recommendation

Inspect the full repository source before production use, especially before adding cron automation or storing API credentials.