ClawHub

度小满天气商户

v1.0.10

用户询问天气(今天天气怎么样、天气怎么样、某城市/某日期天气)、或查询天气服务订单/额度/调用明细时触发

0· 182·0 current·0 all-time
by度小满@duxiaoman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (weather + merchant flows) align with the code and SKILL.md: network calls, payment/short-link usage, order/quota/call-log endpoints and QR code generation are all directed to www.dxmpay.com as described.
Instruction Scope
Runtime instructions require asking the user for a password (or using SP_WEATHER_PASSWORD), running userConfig and CLI commands; the skill reads/writes only the declared config path and writes PNG files to the current working directory. This is within scope but requires the agent to prompt for sensitive input and will leave files on disk unless cleaned up.
Install Mechanism
No install spec (instruction-only) but code files are bundled. No external downloads or installers are used; included qrcode library is local. No high-risk remote install activity detected.
Credentials
The only environment variables used are CLAUDE_SKILL_DIR (injected), SP_WEATHER_BASE (optional base URL), and SP_WEATHER_PASSWORD (optional password override) — all justified by the skill's behavior. The skill generates and stores an encrypted private key (config file) which is proportionate to signing API requests.
Persistence & Privilege
The skill writes an encrypted config file (${CLAUDE_SKILL_DIR}/sp-weather-config.json) and generates PNG files in the working directory. It does not request always:true or system-wide privileges. Users should be aware of file residuals and that the agent can execute bundled node scripts.
Assessment
This skill appears internally consistent with a weather+payment integration that only talks to https://www.dxmpay.com. Before installing: 1) only install if you trust www.dxmpay.com (all network I/O targets that domain); 2) be prepared to enter a private-key password in chat (or set SP_WEATHER_PASSWORD) — the skill stores an encrypted private key under the skill directory; 3) it writes PNG QR files to the current working directory (clean them up if needed); 4) note the code sets a compatibility TLS option (SSL_OP_LEGACY_SERVER_CONNECT) to connect to older servers — this weakens TLS in some environments; 5) the skill will call another skill (dxm-claw-pay) for payment flows — review that skill separately. If any of those behaviors are unacceptable, do not install. If you want higher assurance, ask the author for: (a) the canonical HTTPS host(s) and proof of ownership, (b) an explanation for the TLS legacy option, and (c) a module export contract (the CLI references local QR code modules which appear bundled but have minor API inconsistencies).

Like a lobster shell, security has layers — review code before you run it.

latestvk974yz04e8sszc2as6hq6tyhws84v4tm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments