Skillv1.0.0

ClawScan security

Weather Alert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 18, 2026, 12:34 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and declared permissions match its stated purpose (weather monitoring and alerts); it uses public weather APIs, requires no credentials, and only writes a small per-user directory for cache/alerts.
Guidance: This skill appears to do what it says: it queries Open‑Meteo and wttr.in (no API keys required), formats forecasts, evaluates thresholds, and stores alerts and a short cache under ~/.weather-alerts. Before installing, consider: (1) it will create and read files in ~/.weather-alerts — do not put secrets in that directory; (2) network access is limited to public weather APIs (open-meteo.com, wttr.in); (3) if you prefer not to allow file writes, run the script manually or review the code first; (4) optional OpenWeatherMap usage would require you to provide an API key — the skill does not request any keys by default. Overall the package is internally consistent and proportionate to its stated purpose.

Purpose & Capability: okName/description (weather monitoring & alerts) match the code and SKILL.md. The script fetches data from Open‑Meteo and wttr.in, formats forecasts, checks thresholds, and stores alerts — all consistent with the advertised features.
Instruction Scope: noteRuntime instructions are scoped to weather queries and alert management. The skill reads config.yaml (bundled) and will read/write under the user's home (~/.weather-alerts/alerts.yaml and cache.json) and performs network calls to the documented endpoints. This is expected, but users should note it will create and access files in their home directory.
Install Mechanism: okNo install spec; this is an instruction/code-only skill. There are no downloads or external install steps in the package that would write arbitrary code to disk beyond the included script files.
Credentials: okThe skill requests no environment variables or external credentials. The SKILL.md mentions an optional OpenWeatherMap fallback if a user configures an API key, which is reasonable. No unrelated secrets or cloud credentials are requested.
Persistence & Privilege: okalways:false and model invocation is allowed (platform default). The skill persists only to a per-user directory (~/.weather-alerts) for cache and alerts and does not attempt to change other skills or system-wide agent configuration.