WeatherKit
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: weatherkit Version: 1.0.0 The skill bundle is benign. It is designed to access the Apple WeatherKit REST API, which requires reading environment variables for Apple API keys and the path to a private key file (`APPLE_WEATHERKIT_KEY_PATH`) to generate a JWT for authentication. All network requests are directed to the official `https://weatherkit.apple.com/api/v1` endpoint. There is no evidence of data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts against the agent. Debugging output to `stderr` is present but does not indicate malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Apple WeatherKit credentials to make authenticated WeatherKit requests, potentially consuming API quota.
The skill reads a local Apple WeatherKit private key file from an environment-configured path to generate a JWT. This is expected for WeatherKit authentication and is disclosed, but it is still credential access.
with open(private_key_path, 'r') as f:
private_key = f.read()Use a WeatherKit-specific key, restrict the key file permissions, and do not point APPLE_WEATHERKIT_KEY_PATH at unrelated secrets.
Latitude, longitude, requested forecast parameters, and an Apple WeatherKit JWT are sent to Apple to retrieve weather data.
The code sends forecast requests to Apple's WeatherKit API using an Authorization bearer token. This external provider flow is core to the skill and matches the description.
WEATHERKIT_BASE_URL = "https://weatherkit.apple.com/api/v1"
Install only if you are comfortable sending requested locations to Apple WeatherKit under your configured Apple Developer credentials.
If stderr logs are stored or shared, they may include the locations and forecast data requested through the skill.
The script always emits the full request URL and raw API response to stderr. This is not hidden execution, but it may expose queried coordinates or weather results in logs.
print(f"DEBUG: Request URL: {full_url}", file=sys.stderr)
print(f"DEBUG: Raw response text: {response.text}", file=sys.stderr)Consider removing or disabling debug logging before using the skill for sensitive locations.