Skillv1.0.1

ClawScan security

Weather Plus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 9:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent (fetches weather from wttr.in and offers clothing advice) but contains inconsistent metadata and billing behavior that you should verify before installing or providing credentials.
Guidance: This skill appears to implement its advertised weather, forecast, and clothing features using wttr.in and includes a billing integration with SkillPay.me. Before installing or entering any API key: (1) Verify the SKILLPAY_API_KEY requirement — the registry metadata omits it but SKILL.md and billing.py require it; (2) Confirm you trust skillpay.me as the billing endpoint and understand charges (calls to billing.py will POST your user_id and the SKILLPAY_API_KEY to that service); (3) If you want to test behavior, run the weather/forecast scripts locally without setting SKILLPAY_API_KEY (they fetch from wttr.in) and inspect billing.py to see what data would be sent; (4) Prefer providing a limited/test billing key or monitor usage if you supply a real key. The inconsistencies are likely sloppy documentation/metadata but should be clarified before you provide credentials or enable automated billing.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md implement a weather+clothing service using wttr.in (no third‑party weather API key), and include a billing integration with SkillPay.me to charge 0.001 USDT/call — billing is a plausible extra capability for a paid skill, but the top-level registry metadata incorrectly lists no required env vars while SKILL.md and billing.py require SKILLPAY_API_KEY. Also the SKILL.md header's phrase 'No API key required' is ambiguous (it appears to mean no weather API key, but the skill still requires a SkillPay API key for billing).
Instruction Scope: okRuntime instructions are explicit: run the provided Python scripts. The scripts only fetch data from wttr.in (weather/forecast) and SkillPay.me (billing). They do not attempt to read arbitrary host files, other env vars, or other system configuration.
Install Mechanism: okNo install spec or remote downloads are present; the skill is instruction + local Python scripts included in the package, which is low risk from an install mechanism perspective.
Credentials: concernThe SKILL.md and scripts require SKILLPAY_API_KEY for billing. The registry metadata (which lists required env vars) does not declare this — an inconsistency that matters because you'd have to provide a billing API key that will be sent to https://skillpay.me. Requiring a single billing key is reasonable for a paid skill, but the missing/contradictory metadata and ambiguous 'No API key required' message are red flags that should be resolved before supplying secrets.
Persistence & Privilege: okThe skill does not request persistent installation privileges (always:false), does not modify other skills or system-wide agent settings, and has no install-time code that writes system configuration.