OpenWeather

PassAudited by VirusTotal on May 11, 2026.

Overview

Type: OpenClaw Skill Name: openweather Version: 1.0.2 The OpenWeather skill is benign. The `scripts/weather.py` file includes robust URL whitelisting in its `fetch` function, ensuring all network requests are strictly confined to `api.openweathermap.org` or `openweathermap.org`, preventing arbitrary data exfiltration. Input sanitization is handled via `urllib.parse.quote` for city names, and command-line arguments are parsed and used internally within Python, avoiding shell injection risks. There are no signs of prompt injection in `SKILL.md`, no attempts to access sensitive files, no persistence mechanisms, and no obfuscation.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI03: Identity and Privilege Abuse

What this means

Weather lookups can consume the user's OpenWeather API quota and may incur provider-side usage tracking or charges depending on the account plan.

Why it was flagged

The script reads the user's OpenWeather API key and attaches it to OpenWeather requests, which is expected for this service but gives the skill access to that key's quota and account-backed API use.

Skill content

API_KEY = os.environ.get("OPENWEATHER_API_KEY", "").strip() ... &appid={API_KEY}

Recommendation

Use an OpenWeather key intended for this skill, ensure One Call 3.0 is enabled, and monitor or revoke the key if you no longer use the skill.

Note

ASI02: Tool Misuse and Exploitation

What this means

The agent can run the included Python helper to contact OpenWeather when handling weather requests.

Why it was flagged

The helper performs outbound HTTP requests, but the code restricts them to OpenWeather domains, matching the stated weather-lookup purpose.

Skill content

if not (url.startswith("https://api.openweathermap.org/") or url.startswith("https://openweathermap.org/")):
        err("Refusing to request non-OpenWeather URL")

Recommendation

Allow use when you want weather data, and avoid configuring a default location if you do not want that location used automatically.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less publisher/provenance context than they would for a skill with a linked source repository or homepage.

Why it was flagged

The registry information does not provide an external source or homepage, which limits provenance verification even though the included artifacts contain the relevant script and no installer.

Skill content

Source: unknown; Homepage: none

Recommendation

Review the included files before installation and prefer updates from a trusted publisher or repository when available.