ClawHub

OpenWeather

PassAudited by ClawScan on May 1, 2026.

Overview

This is a straightforward OpenWeather lookup skill; it uses your OpenWeather API key and sends requested locations to OpenWeather, with no evidence of hidden storage, persistence, or unrelated behavior.

This skill appears safe for its stated weather purpose. Before installing, be comfortable providing an OpenWeather API key and sending queried locations, including any configured default location, to OpenWeather.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI03: Identity and Privilege Abuse
What this means

Weather lookups can consume the user's OpenWeather API quota and may incur provider-side usage tracking or charges depending on the account plan.

Why it was flagged

The script reads the user's OpenWeather API key and attaches it to OpenWeather requests, which is expected for this service but gives the skill access to that key's quota and account-backed API use.

Skill content
API_KEY = os.environ.get("OPENWEATHER_API_KEY", "").strip() ... &appid={API_KEY}
Recommendation

Use an OpenWeather key intended for this skill, ensure One Call 3.0 is enabled, and monitor or revoke the key if you no longer use the skill.

Note
ASI02: Tool Misuse and Exploitation
What this means

The agent can run the included Python helper to contact OpenWeather when handling weather requests.

Why it was flagged

The helper performs outbound HTTP requests, but the code restricts them to OpenWeather domains, matching the stated weather-lookup purpose.

Skill content
if not (url.startswith("https://api.openweathermap.org/") or url.startswith("https://openweathermap.org/")):
        err("Refusing to request non-OpenWeather URL")
Recommendation

Allow use when you want weather data, and avoid configuring a default location if you do not want that location used automatically.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users have less publisher/provenance context than they would for a skill with a linked source repository or homepage.

Why it was flagged

The registry information does not provide an external source or homepage, which limits provenance verification even though the included artifacts contain the relevant script and no installer.

Skill content
Source: unknown; Homepage: none
Recommendation

Review the included files before installation and prefer updates from a trusted publisher or repository when available.