Back to skill
Skillv1.1.0
ClawScan security
Test Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 2:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a simple weather lookup using wttr.in and Open-Meteo via curl; nothing requested or instructed is disproportionate to that purpose.
- Guidance
- This skill appears to do exactly what it says: issue curl requests to wttr.in and Open-Meteo and optionally save a PNG to /tmp. Before installing: ensure you are comfortable with an agent making outbound HTTP requests (these services will see the queried location and your agent's IP); confirm curl is available in your environment; and note minor metadata mismatches (the provided _meta.json has a different ownerId/slug/version than the registry metadata) — this is likely benign (packaging/versioning), but if provenance matters to you, verify the publisher/source before using the skill in automated scenarios.
Review Dimensions
- Purpose & Capability
- okName/description (weather, no API key) match the instructions, which only use curl to query wttr.in and Open-Meteo. Required binary is only curl, which is appropriate. No credentials or config paths are requested.
- Instruction Scope
- noteRuntime instructions only run curl against wttr.in and api.open-meteo.com and optionally write a PNG to /tmp; that stays within the declared purpose. Note: queries will send the requested location (and the agent's network-level metadata such as IP) to those third-party services, so this exposes location/usage data to external servers.
- Install Mechanism
- okNo install spec (instruction-only), so nothing is downloaded or written to disk by an installer. This is the lowest-risk install posture.
- Credentials
- okThe skill declares no environment variables or credentials and the instructions do not reference any. No secrets are requested or required.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with any broad access here.