中国城市天气Weather in China
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: weather-cn Version: 1.0.1 The skill is classified as suspicious primarily due to the use of `eval "$data"` in the `format_output` function within `weather-cn.sh`. While the input `$data` is derived from `grep` and `sed` operations with specific patterns on external HTML, `eval` is an inherently dangerous function that introduces a shell injection vulnerability. Although the current parsing logic makes direct exploitation difficult, it's a critical security flaw. The skill also uses `curl` to fetch data from an external website (weather.com.cn), which is expected for its functionality but represents a network access capability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the weather page, network response, or parsed HTML content contains shell metacharacters, running the skill could execute unintended commands on the user's machine.
The script fetches HTML from the network, parses it into variable-assignment text, and then passes that text to eval. The title-derived WEATHER value is not shell-escaped before evaluation.
html=$(curl -s --max-time 10 "$url" 2>/dev/null) ... weather_data=$(parse_weather "$html") ... eval "$data"
Remove eval and parse the fields safely, for example by assigning only known keys after strict validation or by using a structured format that is not executed as shell code.
The queried city is sent to the external weather service, and results depend on network access and that site's response.
The skill uses curl to contact China Weather for the selected city code. This is expected for the stated weather lookup purpose.
local url="https://www.weather.com.cn/weather/${city_code}.shtml"
html=$(curl -s --max-time 10 "$url" 2>/dev/null)Use the skill only where external weather.com.cn requests are acceptable, and avoid relying on it in restricted or offline environments.