中国城市天气Weather in China
WarnAudited by ClawScan on May 10, 2026.
Overview
This is mostly a straightforward China weather lookup skill, but its shell script evaluates website-derived text as shell code, which could run unintended commands if the fetched page is malicious or compromised.
Before installing, ask the maintainer to remove the eval-based parsing or patch it locally. If you run it anyway, run it only as a normal user, not with elevated privileges, and be aware it sends weather queries to weather.com.cn.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the weather page, network response, or parsed HTML content contains shell metacharacters, running the skill could execute unintended commands on the user's machine.
The script fetches HTML from the network, parses it into variable-assignment text, and then passes that text to eval. The title-derived WEATHER value is not shell-escaped before evaluation.
html=$(curl -s --max-time 10 "$url" 2>/dev/null) ... weather_data=$(parse_weather "$html") ... eval "$data"
Remove eval and parse the fields safely, for example by assigning only known keys after strict validation or by using a structured format that is not executed as shell code.
The queried city is sent to the external weather service, and results depend on network access and that site's response.
The skill uses curl to contact China Weather for the selected city code. This is expected for the stated weather lookup purpose.
local url="https://www.weather.com.cn/weather/${city_code}.shtml"
html=$(curl -s --max-time 10 "$url" 2>/dev/null)Use the skill only where external weather.com.cn requests are acceptable, and avoid relying on it in restricted or offline environments.