WeatherKit
PassAudited by ClawScan on May 1, 2026.
Overview
WeatherKit appears to be a straightforward Apple WeatherKit API wrapper; users should mainly notice that it uses an Apple private key/JWT and sends location forecast queries to Apple.
Before installing, make sure you trust the skill with a WeatherKit-specific Apple private key, understand that forecast locations are sent to Apple, and consider disabling the always-on debug output if logs could reveal sensitive locations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Apple WeatherKit credentials to make authenticated WeatherKit requests, potentially consuming API quota.
The skill reads a local Apple WeatherKit private key file from an environment-configured path to generate a JWT. This is expected for WeatherKit authentication and is disclosed, but it is still credential access.
with open(private_key_path, 'r') as f:
private_key = f.read()Use a WeatherKit-specific key, restrict the key file permissions, and do not point APPLE_WEATHERKIT_KEY_PATH at unrelated secrets.
Latitude, longitude, requested forecast parameters, and an Apple WeatherKit JWT are sent to Apple to retrieve weather data.
The code sends forecast requests to Apple's WeatherKit API using an Authorization bearer token. This external provider flow is core to the skill and matches the description.
WEATHERKIT_BASE_URL = "https://weatherkit.apple.com/api/v1"
Install only if you are comfortable sending requested locations to Apple WeatherKit under your configured Apple Developer credentials.
If stderr logs are stored or shared, they may include the locations and forecast data requested through the skill.
The script always emits the full request URL and raw API response to stderr. This is not hidden execution, but it may expose queried coordinates or weather results in logs.
print(f"DEBUG: Request URL: {full_url}", file=sys.stderr)
print(f"DEBUG: Raw response text: {response.text}", file=sys.stderr)Consider removing or disabling debug logging before using the skill for sensitive locations.