Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
alibabacloud-iqs-weather-query
v1.0.07-day weather forecast query powered by Alibaba Cloud IQS web search and page reading. Triggers: "weather forecast", "7-day weather", "weekly weather", "weat...
⭐ 0· 22·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (7‑day forecast via Alibaba IQS) match the code and instructions. However, the package metadata declares no required env vars or config paths while both SKILL.md and scripts/weather.mjs require an ALIYUN_IQS_API_KEY and optionally read ~/.alibabacloud/iqs/env. That's an incoherence in declared requirements.
Instruction Scope
SKILL.md and the script limit operations to calling Alibaba IQS search/readpage endpoints and parsing pages, which is appropriate. But the skill's "evolveHint" explicitly instructs the agent/developer to modify scripts/weather.mjs to add new parsers (i.e., edit the skill's code). That encourages the agent to produce code changes on disk and broadens runtime scope beyond simple queries.
Install Mechanism
No install spec and no external downloads; the skill is an instruction + included Node.js script. There is no evidence of third‑party packages being pulled or obfuscated installers.
Credentials
The script and SKILL.md require ALIYUN_IQS_API_KEY (and offer storing it in ~/.alibabacloud/iqs/env), which is proportionate to using Alibaba IQS. However, the registry metadata does not declare this required credential or the config path—this mismatch reduces transparency. The skill reads a file in the user's home directory which was not declared in required config paths.
Persistence & Privilege
always:false and no elevated platform privileges. Still, the guidance to add new parsers to scripts/weather.mjs implies modifying files bundled with the skill; if the agent is allowed to write files, that increases blast radius. The skill itself does not explicitly perform persistent installation or set always:true.
What to consider before installing
This skill appears to implement weather lookup via Alibaba IQS and will call cloud-iqs.aliyuncs.com endpoints — that is expected. But before installing or running it: 1) be aware the SKILL.md and script require ALIYUN_IQS_API_KEY (and may read ~/.alibabacloud/iqs/env), yet the registry metadata does not declare that—ask the publisher to declare required env vars and config paths. 2) Inspect scripts/weather.mjs yourself (it is included) to confirm there are no unexpected behaviors. 3) Consider providing the API key with least privilege and keep it separate from high‑privilege credentials; prefer temporary keys when possible. 4) Decide whether you are comfortable allowing the agent to modify local skill files — the skill’s "evolve" instructions encourage creating/parsing new parser code, which could lead to file writes. 5) If you don't trust the unknown publisher, run the script in an isolated environment (container/VM) or decline. If you want, ask the author to update the registry metadata to explicitly list ALIYUN_IQS_API_KEY and the optional config file path.scripts/weather.mjs:30
Environment variable access combined with network send.
scripts/weather.mjs:40
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97fe2qp4c1wyxj1ep72mr08xd851av8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.