Back to skill
Skillv1.0.1
ClawScan security
cn-weather · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 6:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions align with its stated purpose (querying Chinese city weather via China Meteorological Administration endpoints); it requires no credentials or installs and stays within scope.
- Guidance
- This skill appears coherent and low-risk, but verify these practical points before installing: (1) the skill makes outbound requests to data.cma.cn and weather.cma.cn — confirm your environment permits these network calls and that you trust those endpoints; (2) no credentials are required, but user-supplied city names will be sent to the external API (privacy consideration); (3) SKILL.md examples use curl — ensure the runtime has an HTTP capability or the platform will need to implement the calls; (4) the SKILL.md claims 'official' CMA APIs — consider validating the endpoints and whether an API key or rate limits apply in your deployment. If any of these are unacceptable, do not enable the skill.
Review Dimensions
- Purpose & Capability
- okName/description (Chinese weather lookup) match the instructions: two-step queries to CMA endpoints to resolve station ID and fetch current weather. Nothing requested is out-of-scope for a weather skill.
- Instruction Scope
- noteSKILL.md only instructs two specific HTTP calls (to data.cma.cn and weather.cma.cn) and how to format results; it does not access files, env vars, or other system state. Note: it assumes the agent can make outbound HTTP requests (examples use curl) and will transmit user-supplied city names to external endpoints (privacy consideration).
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. No packages or downloads are requested, so there is no installation risk.
- Credentials
- okNo environment variables, credentials, or config paths are required. The lack of secrets or broad credential access is proportionate to a public-weather lookup skill.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal autonomous invocation allowed; this is expected for a service integration and does not request elevated persistent privileges.