数联互通weather
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward WeatherAPI.com weather skill that uses curl and the user's own API key, with only normal credential and third-party API privacy considerations.
This skill appears safe to install if you want WeatherAPI.com weather lookups. Configure your own API key securely, avoid sharing config or troubleshooting output that may reveal it, and remember that queried locations are sent to WeatherAPI.com.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your WeatherAPI key may be used for API calls and could consume your quota if exposed or misused.
The skill explicitly requires the user to configure a WeatherAPI.com credential. This is expected for the integration, but it means the skill can use that provider key.
"primaryEnv": "WEATHER_API_KEY" ... "apiKey": "YOUR-API-KEY-HERE"
Store the key through OpenClaw settings or an environment variable, do not share config or log output containing the key, and rotate the key if it is accidentally disclosed.
Locations you ask about, along with the API key, are sent to WeatherAPI.com.
The skill sends weather query data and the API key to WeatherAPI.com. The destination is disclosed and aligned with the skill purpose.
curl -s "https://api.weatherapi.com/v1/current.json?key=${API_KEY}&q=London"Use the skill only when you are comfortable sending the requested location to WeatherAPI.com, and review that provider's privacy terms if needed.
The agent may run a local curl command to contact the weather provider for the requested location.
The operational examples rely on shell curl commands. This is central to the skill and not suspicious by itself, but user-provided locations should be handled safely if the example is adapted.
curl -s "https://api.weatherapi.com/v1/forecast.json?key=${API_KEY}&q=London&days=7"Keep curl usage limited to WeatherAPI.com endpoints and ensure user-supplied location text is URL-encoded rather than inserted into shell commands unsafely.