Weather Data API
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only weather skill appears benign, but its paid option sends a payment header to a localhost service that is not included in the reviewed artifacts.
This skill is reasonable for basic weather queries, but treat the premium endpoint as a real payment action. Before installing or using it, confirm that you trust the localhost service on port 5000 and require explicit user approval before sending any X-Payment header.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the premium endpoint could authorize a small payment.
The premium workflow uses a payment authorization header and may spend funds, but the charge amount and paid endpoint are disclosed and aligned with the premium forecast purpose.
Requires x402 payment (0.05 USDC) curl -H "X-Payment: <payment_header>" "http://localhost:5000/forecast/premium?lat=40.71&lon=-74.00"
Only allow the premium request after the user explicitly approves the payment amount and understands where the payment header is being sent.
The skill may not work unless a separate local server is running, and that server's behavior was not reviewed here.
The SKILL.md examples call a localhost weather service, but no reviewed code or installation mechanism for that service is provided in the artifacts.
No install spec — this is an instruction-only skill.
Verify the localhost service source and behavior before relying on it, especially before sending any payment header.