Hefeng Weather - 和风天气
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent weather-query skill, but it needs QWeather credentials and sends city/location queries to a configured API host, so verify the configuration before using it.
Install/use this skill only if you are comfortable providing QWeather API credentials. Configure HEFENG_API_HOST to a trusted QWeather domain, prefer environment variables or --no-save for credentials if possible, keep any saved ~/.config/qweather/.env file private, and run only the included reviewed scripts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill means the agent may run local Python scripts to fetch weather data.
The skill is not only instructional text; it expects running bundled Python scripts to answer weather questions. This is purpose-aligned and parameterized, with no evidence of destructive or hidden execution.
执行脚本: python scripts/weather_now.py --city "北京"
Run only the reviewed bundled scripts and avoid adding or executing unreviewed replacement scripts.
A local QWeather API key or private-key setting could be used by anyone who gains access to that configuration file.
The configuration script can save the user's QWeather API key/JWT-related settings to a local .env file by default. It sets owner-only permissions in this script, but this is still credential storage users should notice.
lines.append(f"HEFENG_API_KEY={args.api_key}") ... fd = os.open(config_file, os.O_CREAT | os.O_WRONLY | os.O_TRUNC, 0o600)Prefer environment variables or --no-save if you do not want persistent credentials; if saved, keep permissions restrictive and rotate the API key if exposed.
If HEFENG_API_HOST is set to an untrusted server, API credentials and location queries could be sent there.
The API destination host is configurable and receives authentication headers plus query parameters such as city/location. This is expected for QWeather/custom-domain use, but a wrong host would receive sensitive request data.
self._api_host = os.environ.get("HEFENG_API_HOST") ... url = f"https://{self._api_host}/{endpoint}" ... httpx.get(url, headers=self._auth_header, params=params)Set HEFENG_API_HOST only to an official or trusted QWeather domain and treat any host change as security-sensitive.
The agent or user may try to run commands that are missing, or may be tempted to obtain extra unreviewed files.
SKILL.md documents scripts such as weather_history.py that are not present in the supplied file manifest. This looks like a packaging/documentation gap rather than malicious behavior.
python scripts/weather_history.py --city "北京" --days 7
Use the scripts actually included in the package, and review any additional scripts before adding or running them.