Weather Pulse
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: weather-pulse Version: 1.3.4 The weather-pulse skill is a legitimate tool for fetching weather and air quality data from QWeather and WAQI APIs. The implementation in scripts/weather.py uses standard Python libraries (urllib) for network communication and follows the documented functionality without any signs of malicious behavior, data exfiltration, or prompt injection. The use of environment variables for API configuration is standard practice for this type of utility.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs local Python code that contacts weather/AQI APIs and prints results.
The skill is meant to run an included local Python CLI. The reviewed script is purpose-aligned and does not show shelling out, dynamic execution, or hidden install steps.
Usage python scripts/weather.py <location> [--endpoint ENDPOINT] [--json]
Run it only from the reviewed skill directory and avoid modifying the script or environment host to an untrusted destination.
The skill can use the QWeather key or WAQI token you provide to make provider API calls.
The skill discloses provider API credentials as optional environment variables for the weather and AQI services.
QWEATHER_API_KEY ... WAQI_API_TOKEN
Use dedicated, low-privilege/free-tier API credentials and rotate them if you suspect exposure.
Your queried city, coordinates, or location string may be visible to the external weather/AQI provider.
The code sends the requested location plus provider credentials to QWeather or WAQI over HTTPS, which is expected for this integration.
u = f'https://{H}/{EP.get(ep, f"v7/{ep}")}?key={K}&location={urllib.parse.quote(loc)}...'
u = f'https://api.waqi.info/feed/{urllib.parse.quote(loc)}/?token={T}'Avoid querying sensitive precise locations unless you are comfortable sharing them with QWeather or WAQI.
You have less external context for who maintains the skill or where updates originate.
The registry metadata does not provide an external source or homepage, limiting provenance verification even though the included code is small and reviewable.
Source: unknown Homepage: none
Review the included files before use and prefer pinned, trusted sources when available.