Skillv1.0.0

ClawScan security

tianqi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 11:16 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose (Chinese-focused weather queries using wttr.in and Open‑Meteo); it requests no credentials and only needs curl to make network calls.
Guidance: This skill appears coherent and safe: it only makes outbound requests to wttr.in and Open‑Meteo and does not request credentials. Before installing, consider: (1) the skill will send place names (including precise locations if provided) over the network—avoid providing private exact addresses unless you consent; (2) public APIs may have rate limits or occasional inaccuracies—treat results as quick forecasts, not official warnings; and (3) if you need higher privacy or guaranteed availability, consider using a paid/weather service with an API key and explicit privacy terms.

Purpose & Capability: okName/description (Chinese weather queries) match the declared requirements and instructions: it uses wttr.in for quick text results and Open‑Meteo for structured forecasts and geocoding. Requiring curl is appropriate.
Instruction Scope: okSKILL.md only instructs the agent to call wttr.in and Open‑Meteo endpoints with curl, prefer Chinese place names, and to confirm ambiguous locations. It does not ask for unrelated files, environment variables, or external endpoints.
Install Mechanism: okInstruction-only skill with no install spec or code files. This minimizes disk writes and arbitrary code execution risk.
Credentials: okNo environment variables, secrets, or config paths are requested. Network access to the public APIs is the only external requirement and is proportional to the purpose.
Persistence & Privilege: okSkill is not marked always:true and is user-invocable; it can be called autonomously (platform default), which is expected for a utility skill but does not add unusual privileges.