ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

中国城市天气Weather in China

v1.0.1

中文天气查询工具 - 使用中国天气网获取实时天气(无需API密钥,不依赖大模型)

3· 1.9k·22 current·25 all-time
by@kenera
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the implementation: the skill is a bash script that fetches weather from weather.com.cn using curl/grep and a local city->code map. Required binaries (curl, grep) and files (weather_codes.txt) are appropriate and proportional.
!
Instruction Scope
SKILL.md instructs running the bundled script, which fetches remote HTML and parses it locally. The script outputs key=value lines and then uses eval "$data" in format_output — evaluating untrusted content from the network (or a modified local file) can lead to arbitrary shell command execution. Parsing HTML with grep/sed is brittle and may produce unexpected strings that make eval dangerous. This is scope-consistent but contains an unsafe coding pattern.
Install Mechanism
No install spec (instruction-only); there are no remote downloads or installs. That limits install-time risk. Shipping a script file is expected for this kind of skill.
Credentials
The skill requests no environment variables or credentials. Network access to www.weather.com.cn is required and expected. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide changes or elevated privileges. It's user-invokable and behaves like a normal, ephemeral script.
What to consider before installing
The skill is functionally coherent, but the bundled script uses eval on data derived from fetched HTML (and therefore untrusted). That creates a real risk of command injection if the remote page or the local city file is maliciously modified. Before installing or running: (1) review or run the script only in an isolated environment (container or low-privilege account); (2) avoid running it as root; (3) fix the code by removing eval — parse the key=value output safely (for example, read lines and assign variables explicitly or whitelist keys and sanitize values), or escape values before eval; (4) verify weather_codes.txt hasn't been tampered with; (5) consider adding strict input validation on city_code (digits only) and stricter extraction of values (strip quotes/unsafe characters). If you want, I can provide a patched version of the script that avoids eval and is safer to run.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a4z5zkvhvvdvge7b7xmyf218120j9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌤️ Clawdis
Binscurl, grep

Comments