WeatherKit
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Apple WeatherKit credentials to make authenticated WeatherKit requests, potentially consuming API quota.
The skill reads a local Apple WeatherKit private key file from an environment-configured path to generate a JWT. This is expected for WeatherKit authentication and is disclosed, but it is still credential access.
with open(private_key_path, 'r') as f:
private_key = f.read()Use a WeatherKit-specific key, restrict the key file permissions, and do not point APPLE_WEATHERKIT_KEY_PATH at unrelated secrets.
Latitude, longitude, requested forecast parameters, and an Apple WeatherKit JWT are sent to Apple to retrieve weather data.
The code sends forecast requests to Apple's WeatherKit API using an Authorization bearer token. This external provider flow is core to the skill and matches the description.
WEATHERKIT_BASE_URL = "https://weatherkit.apple.com/api/v1"
Install only if you are comfortable sending requested locations to Apple WeatherKit under your configured Apple Developer credentials.
If stderr logs are stored or shared, they may include the locations and forecast data requested through the skill.
The script always emits the full request URL and raw API response to stderr. This is not hidden execution, but it may expose queried coordinates or weather results in logs.
print(f"DEBUG: Request URL: {full_url}", file=sys.stderr)
print(f"DEBUG: Raw response text: {response.text}", file=sys.stderr)Consider removing or disabling debug logging before using the skill for sensitive locations.