Weather via OpenMeteo (via openmeteo-sh cli; advanced ver)
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent weather-query helper that uses a local OpenMeteo CLI and disclosed Open-Meteo network endpoints, with no evidence of hidden code, credentials, persistence, or data misuse.
This appears safe for its stated purpose. Before installing, verify the openmeteo-sh CLI source you choose, and remember that weather lookups may send your queried location or coordinates to Open-Meteo.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run weather commands locally using the location and options you provide.
The skill tells the agent to invoke a local CLI with user-provided city, date, and parameter values. This is expected for the skill's purpose, and the artifact includes shell-quoting guidance to reduce command-injection risk.
CLI: `openmeteo <command> [options]` ... **Quote all user-provided values** in shell commands.
Use specific weather queries, avoid unnecessary personal location detail, and ensure the installed openmeteo command is the one you trust.
Installing the CLI gives an external program the ability to run on your machine when the skill is used.
The README documents installing an external CLI through Homebrew, APT, or source with sudo. This is purpose-aligned and user-directed, but it means the user is trusting an external package source.
brew tap lstpsche/tap ... sudo apt install openmeteo-sh ... git clone https://github.com/lstpsche/openmeteo-sh.git ... sudo make install
Install from a trusted source, review the upstream project if needed, and prefer package-manager methods with verified repositories.
Your queried location or coordinates may be sent to Open-Meteo services to retrieve weather data.
The skill sends weather query details such as city names, coordinates, and date ranges to disclosed Open-Meteo API endpoints. This is expected for weather lookups and the destinations are clearly listed.
This skill invokes the `openmeteo` CLI, which makes HTTPS requests to: `https://api.open-meteo.com`, `https://archive-api.open-meteo.com`, `https://geocoding-api.open-meteo.com`
Only provide locations you are comfortable sending to the weather provider, especially if using precise coordinates.
A user might underestimate that location query data leaves the local machine for the weather API.
The README discloses Open-Meteo API endpoints, but the phrase 'No data is sent to any third-party service' could be read too broadly because weather queries are sent to Open-Meteo. The surrounding text makes the intended provider use clear.
No other network access is made. No data is sent to any third-party service.
Treat Open-Meteo as the external weather provider and avoid submitting sensitive precise locations unless needed.