ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skills-weather

v1.0.3

Get the weather for a specific location or coordinates

0· 354·0 current·0 all-time
by@mangonob
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the instructions: the skill is a weather CLI that calls QWeather. The SKILL.md declares network request permission and documents QWeather credentials (privateKey, appId, credentialId, apiHost), which are appropriate for this purpose. No unrelated services, binaries, or credentials are requested.
Instruction Scope
The runtime instructions are narrowly scoped to installing and running a Node CLI and reading an optional config file (default ~/.skills-weather-config.json or SKILLS_WEATHER_CONFIG_FILE_PATH). They do not instruct reading other system files or exfiltrating data. Minor inconsistency: SKILL.md lists an entry (index.js) and npm install commands while the skill bundle provided here contains no code files; that likely means this registry entry is instruction-only and refers to a package hosted on npm/GitHub rather than including code in the bundle.
Install Mechanism
No install spec in the registry bundle (lowest platform risk). The SKILL.md recommends global installation via npm/pnpm, which is normal for Node CLIs but means installing code from the public npm registry/repository (moderate trust required). If you plan to install, review the upstream repository (https://github.com/mangonob/skills-weather) before running npm install -g.
Credentials
The skill does not require platform environment variables. The documented configuration file holds QWeather secrets (privateKey, appId, credentialId) — these are proportional and expected for a third‑party weather API integration. The optional SKILLS_WEATHER_CONFIG_FILE_PATH env var is reasonable.
Persistence & Privilege
The skill is not forced-always and is user-invocable; model-autonomy is allowed (the platform default). The skill does not request persistent system-wide privileges or to modify other skills/configs.
Scan Findings in Context
[no_code_in_bundle] expected: The regex scanner found no code to analyze because this registry entry is instruction-only. SKILL.md points to an npm package and a GitHub repo; review that upstream code before installing from npm.
Assessment
This skill appears coherent for fetching weather using QWeather. Before installing or using it: (1) review the upstream repository/package code (https://github.com/mangonob/skills-weather or the npm package) to ensure it does what you expect; (2) if you install globally with npm/pnpm, be aware global installs place executables on your PATH; (3) protect your QWeather credentials — store the config file (~/.skills-weather-config.json) securely and do not paste keys into public places; (4) the registry bundle here has no code included, so the platform will not auto-install anything — you (or the system admin) must install the npm package to run the CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk9740tv9r1j4vpkr5k02f2xtzd8291jy
354downloads
0stars
3versions
Updated 8h ago
v1.0.3
MIT-0
@mangonob
latest
Download

Weather Skill

Installation

npm

npm install -g skills-weather

pnpm

pnpm add -g skills-weather

Parameters

  • -V, --version: output the version number
  • -l, --location <string>: Location to get the weather for
  • -d, --days <number>: Specify the number of days to get the weather forecast for.
  • -h, --hours <number>: Specify the number of hours to get the weather forecast for.
  • -f, --config <string>: Path to the config file
  • -c, --coordinates <string>: Latitude and longitude to get the weather for (format: lon,lat)
  • --help: display help for command

Parameter constraints:

  • --location and --coordinates cannot be used together. You must provide at least one of them.
  • --days and --hours cannot be used together. If neither is provided, real-time weather will be returned.

Environment variables:

  • SKILLS_WEATHER_CONFIG_FILE_PATH: Optional environment variable to specify the path to the configuration file. If not provided, the skill will look for a default config file in the current directory.

Examples

Get real-time weather:

  • Get real-time weather for New York: skills-weather -l "New York"
  • Get real-time weather for specific coordinates: skills-weather -c "-74.0060,40.7128"
  • Get real-time weather for London (with a specified config file): skills-weather -l "London" -f "/path/to/config.json"

Get daily weather forecasts:

  • Get today's weather forecast for Futian District, Shenzhen: skills-weather -l "futian" -d 1
  • Get Beijing's weather forecast for the next 3 days: skills-weather -l "北京" -d 3
  • Get a one-month weather forecast for specific coordinates: skills-weather -c "116.4074,39.9042" -d 30
  • Get Shanghai's weather forecast for the next 2 days (with a specified config file): skills-weather -l "上海" -d 2 -f "/path/to/config.json"

Get hourly weather forecasts:

  • Get Guangzhou's weather forecast for the next 12 hours: skills-weather -l "广州" -h 12
  • Get a 6-hour weather forecast for specific coordinates: skills-weather -c "121.4737,31.2304" -h 6
  • Get Shenzhen's weather forecast for the next 24 hours (with a specified config file): skills-weather -l "深圳" -h 24 -f "/path/to/config.json"

Supported Weather Data Providers

Configuration File

和风天气

Default config file path: ~/.skills-weather-config.json
Example:
{
	"privateKey": "G7refSYx9TWAPADGuOdyGycWVNr0POaebYddeNtDjxSSN01b0165TITV9fA=",
	"appId": "BB9A36BAB1",
	"credentialId": "3207A9092A",
	"apiHost": "0dfe03a7c3.re.qweatherapi.com"
}
Field Descriptions
  • privateKey: A private key provided by QWeather for authentication.
  • appId: The application ID provided by QWeather to identify the app.
  • credentialId: A credential ID provided by QWeather for authentication.
  • apiHost: The host address of the QWeather API.

Comments

Loading comments...