Surf Query
ReviewAudited by ClawScan on May 10, 2026.
Overview
The surf lookup skill appears purpose-aligned, but it has a self-updater that can replace code from an unpinned GitHub branch and it disables HTTPS certificate checks while sending the weather API key.
Install only if you are comfortable auditing the GitHub updater path. Avoid automatic updates unless they are pinned and verified, use a low-privilege CWA API key, and enable cron/push notifications only for channels you intentionally control.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill’s behavior could change later based on whatever is in the remote GitHub branch, outside the reviewed package contents.
The updater can be run by maintenance automation or manually and replaces executable skill files from the GitHub main branch without pinning or integrity checks.
# 由 OpenClaw 每週維護 cron 呼叫,或手動執行 ... curl -sf "$REPO_URL/raw/main/surf_query.py" -o "$CURRENT.tmp" && mv "$CURRENT.tmp" "$CURRENT"
Prefer registry-managed updates, pin a specific release or commit, verify checksums/signatures, and require explicit user approval before replacing executable skill files.
On an untrusted network, the weather API key and live surf/weather responses could be exposed or altered by a network attacker.
The CWA API key is attached to requests while certificate verification is disabled, weakening protection against interception or response tampering.
params["Authorization"] = key ... urllib3.disable_warnings(...) ... requests.get(f"{CWA_BASE}/{dataset}", params=params, timeout=8, verify=False)Enable certificate verification, fix the CA/certificate handling instead of using verify=False, and use a limited, revocable CWA API key.
If enabled, the skill can participate in recurring outbound messages rather than only responding to direct queries.
The README documents optional scheduled push notifications through messaging channels; this is disclosed and purpose-aligned, but it creates ongoing autonomous behavior if the user configures it.
搭配 OpenClaw cron 每小時執行,有警報時發送至 Telegram / iMessage / LINE
Only configure cron push notifications for channels and recipients you control, and keep schedules and message destinations explicit.