get tomorrow weather of beijing , with Chinese almanac information
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: weather-of-beijing-with-almanac Version: 1.0.2 The skill is classified as suspicious due to the insecure handling of API credentials. In SKILL.md, Step 2 instructs the agent to make a `curl` request to `https://www.mxnzp.com/api/holiday/single/...` including `app_id=your_app_id&app_secret=your_secret` directly in the URL query parameters. This method of transmitting sensitive `app_secret` via a GET request is insecure, as it can expose the secret in server logs, browser history, or network intermediaries. While the intent appears to be to use legitimate credentials for the skill's stated purpose, the instruction itself represents a significant vulnerability for credential exposure, relying on the agent's interpretation and secure handling of such placeholders.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may contact external services and send a Feishu message when invoked or scheduled.
The skill uses external API/search tools and a messaging tool. This is disclosed and aligned with the weather-reminder purpose, but users should confirm the Feishu recipient and allowed tool use.
curl -s "https://wttr.in/Beijing?format=j1" ... 使用 `batch_web_search` 搜索 ... 使用 `message` tool,发送给用户 `你的飞书openid`,channel 为 feishu。
Verify the configured recipient, keep the message destination limited to yourself or intended users, and avoid expanding the skill to send broader or public messages without review.
If users add real API secrets or Feishu identifiers, they should treat them as sensitive configuration.
The almanac API example includes optional app credentials, and Feishu delivery requires a recipient identifier. These are purpose-aligned, but they are not declared as required credentials in metadata.
app_id=your_app_id&app_secret=your_secret ... 发送给用户 `你的飞书openid`
Store any real API keys or Feishu identifiers in secure configuration rather than hardcoding them into shared instructions or command history.
The reminder could continue sending daily notifications until the schedule is disabled.
The skill describes recurring scheduled execution. This is disclosed and matches the daily reminder purpose, but it is persistent automation.
定时任务(主要):每天 18:00 由 cron 自动触发
Ensure any cron or platform schedule is visible to the user and has a clear way to pause, edit, or remove it.