Back to skill
Skillv1.1.0
VirusTotal security
Weather Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 5:09 AM
- Hash
- 3de7ad8ef3f3a39725217cafdf1663269acda95a6ab2a9cd6d3b9912ad44e5b1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: weather-skill Version: 1.1.0 The skill contains a hardcoded API key (SKILLPAY_API_KEY) in both handler.py and SKILL.md, which constitutes a credential exposure vulnerability. It implements a micro-payment system via an external endpoint (skillpay.me) to charge for weather data retrieved from the free wttr.in service. While the code lacks clear malicious intent and includes a permissive 'demo' fallback if the payment service fails, the hardcoded credentials and the use of a third-party billing gateway for free public data are significant security and policy concerns.
- External report
- View on VirusTotal