Weather Pulse
PassAudited by ClawScan on May 13, 2026.
Overview
Weather Pulse appears benign: it fetches weather and air-quality data from QWeather and WAQI using user-provided API credentials, with no hidden persistence or destructive behavior in the provided code.
This skill is reasonable to install if you trust the included Python script and are comfortable sharing requested locations with QWeather or WAQI. Use dedicated API keys/tokens, set the QWeather host only to the official provider host from your console, and avoid querying highly sensitive precise locations unless necessary.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs local Python code that contacts weather/AQI APIs and prints results.
The skill is meant to run an included local Python CLI. The reviewed script is purpose-aligned and does not show shelling out, dynamic execution, or hidden install steps.
Usage python scripts/weather.py <location> [--endpoint ENDPOINT] [--json]
Run it only from the reviewed skill directory and avoid modifying the script or environment host to an untrusted destination.
The skill can use the QWeather key or WAQI token you provide to make provider API calls.
The skill discloses provider API credentials as optional environment variables for the weather and AQI services.
QWEATHER_API_KEY ... WAQI_API_TOKEN
Use dedicated, low-privilege/free-tier API credentials and rotate them if you suspect exposure.
Your queried city, coordinates, or location string may be visible to the external weather/AQI provider.
The code sends the requested location plus provider credentials to QWeather or WAQI over HTTPS, which is expected for this integration.
u = f'https://{H}/{EP.get(ep, f"v7/{ep}")}?key={K}&location={urllib.parse.quote(loc)}...'
u = f'https://api.waqi.info/feed/{urllib.parse.quote(loc)}/?token={T}'Avoid querying sensitive precise locations unless you are comfortable sharing them with QWeather or WAQI.
You have less external context for who maintains the skill or where updates originate.
The registry metadata does not provide an external source or homepage, limiting provenance verification even though the included code is small and reviewable.
Source: unknown Homepage: none
Review the included files before use and prefer pinned, trusted sources when available.