Back to skill
Skillv1.0.2
ClawScan security
Weather Forecast - 全国天气预报 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:33 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it runs a local Python script that calls JisuAPI to fetch weather and only requires a JISU_API_KEY and python3; I found no signs of unrelated credential access, hidden endpoints, or exfiltration.
- Guidance
- This skill appears to do only what it claims: call JisuAPI for weather. Before installing: 1) Confirm you trust the JisuAPI provider and protect your JISU_API_KEY (do not share it publicly). 2) Ensure the runtime has python3 and the 'requests' package installed (SKILL.md doesn't list this dependency). 3) Expect the skill to make outbound HTTPS requests to api.jisuapi.com (network egress required). 4) Check your JisuAPI account rate limits and permissions. If you require stricter guarantees, review the script locally (it's small and readable) before enabling autonomous use.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md and the code all target the JisuAPI weather endpoints. Requiring JISU_API_KEY and python3 is expected for this functionality. The code talks only to https://api.jisuapi.com which matches the documented provider.
- Instruction Scope
- okSKILL.md instructs the agent to run the included script with a small JSON payload or the 'cities' subcommand. The instructions do not request unrelated files, system configuration, or additional environment variables beyond JISU_API_KEY.
- Install Mechanism
- noteThere is no install spec (instruction-only), which minimizes install risk. The shipped script uses the Python 'requests' library but the SKILL.md does not document installing that dependency; this is an operational omission (not a security risk) that could cause runtime failures if 'requests' is missing.
- Credentials
- okOnly JISU_API_KEY is required (declared as primaryEnv). No other secrets, system config paths, or unrelated credentials are requested; this is proportionate to calling the Jisu weather API.
- Persistence & Privilege
- okThe skill is not forced-always, does not request system-wide changes, and does not modify other skills. It runs when invoked by the agent or user per platform defaults.