ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weather Aqi

v1.0.0

Provides real-time weather and air quality index (AQI) data for any location using Open-Meteo and Waqi API.

0· 65·0 current·0 all-time
bybuihieu@guchigangz
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md call Open‑Meteo geocoding/forecast and the WAQI API, which matches the skill's description. However, the registry metadata lists no required env vars while both the code and SKILL.md expect WAQITOKEN.
Instruction Scope
Runtime instructions limit actions to web_fetch calls (Open‑Meteo and WAQI) and reading WAQITOKEN from the environment; there are no instructions to read unrelated files, system state, or to exfiltrate data to other endpoints.
Install Mechanism
No install spec (lower risk) and the code is pure fetch-based JavaScript with no external downloads. Note: a code file is packaged but there is no explicit install/runtime packaging guidance in the registry metadata.
!
Credentials
The code uses process.env.WAQITOKEN to call the WAQI API (reasonable for AQI queries), but the registry metadata incorrectly reports 'Required env vars: none'. This mismatch is concerning because a required secret is not declared in metadata, which could lead to confusion or accidental disclosure policies being bypassed.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false), does not modify other skills or system config, and only performs on‑demand network calls.
What to consider before installing
This skill's code matches its description and only needs a WAQI API token to fetch AQI, so the functionality is plausible — but the registry metadata failing to declare WAQITOKEN is an inconsistency you should clarify before installing. Ask the publisher to update metadata to list WAQITOKEN, confirm the token's intended scope (prefer a limited-purpose WAQI token), and avoid supplying any broader credentials. Because the package includes a code file but no install spec or source/homepage, consider requesting the source or reviewing the code yourself (it was provided and looks straightforward) and testing with a throwaway token first.
weather_aqi_claw.js:12
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vxk1f9hfs4d9k01bt28nad84kfv2
65downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
buihieu@guchigangz
latest
Download

Weather & AQI Realtime Skill

Version: 1.0.0
Author: Perplexity AI (dựa trên weather_aqi.js)
Description: Lấy thời tiết + AQI realtime cho bất kỳ location (Hanoi, NYC...). Dùng Open-Meteo + Waqi API. Output JSON/text.

Usage

  • Agent query: "Weather AQI Hanoi"
  • JSON: "Get weather_aqi json Tokyo"
  • Env: WAQITOKEN=your_waqi_token

Tools Required

  • web_fetch (geocoding, weather, AQI)
  • env (WAQITOKEN)

License: MIT-0 | Safe: VirusTotal clean

Comments

Loading comments...