ClawHub

Weather via OpenMeteo (via openmeteo-sh cli; simple ver)

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: openmeteo-sh-weather-simple Version: 1.2.1 The skill bundle is designed for fetching weather information using the `openmeteo` CLI. The `SKILL.md` explicitly instructs the AI agent to quote all user-provided values in shell commands (Rule 2), which is a critical security measure against shell injection vulnerabilities. The `README.md` transparently declares network access only to `api.open-meteo.com` and `geocoding-api.open-meteo.com`. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent for harmful purposes. The instructions are clear and aligned with the stated benign purpose.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI02: Tool Misuse and Exploitation
What this means

The agent may run the openmeteo command to answer weather questions.

Why it was flagged

The skill instructs the agent to invoke a local CLI with user-provided location arguments, which is expected for this weather integration.

Skill content
openmeteo weather --current --city=Berlin --llm
Recommendation

Keep using the documented quoting pattern for city names and only install a trusted openmeteo CLI.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the prerequisite CLI gives code from the external openmeteo-sh source access to run locally.

Why it was flagged

The README directs users to install an external CLI package from third-party package sources; this is disclosed and purpose-aligned but depends on trusting that source.

Skill content
brew tap lstpsche/tap
brew install openmeteo-sh
Recommendation

Install only from the official project or a trusted package channel, and review privileged install steps before running them.

Note
ASI07: Insecure Inter-Agent Communication
What this means

The city or coordinates used for a weather query may be sent to Open-Meteo.

Why it was flagged

Weather lookups require sending the requested city or coordinates to the external Open-Meteo API; the endpoints are clearly disclosed.

Skill content
This skill invokes the `openmeteo` CLI, which makes HTTPS requests to:
- `https://api.open-meteo.com`
- `https://geocoding-api.open-meteo.com`
Recommendation

Avoid querying locations you consider sensitive, or review Open-Meteo's privacy practices before use.