Back to skill
Skillv1.0.3
ClawScan security
skills-weather · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 7:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested inputs and runtime behavior are consistent with a weather CLI that uses QWeather credentials; nothing appears disproportionate or unrelated to its stated purpose.
- Guidance
- This skill appears coherent for fetching weather using QWeather. Before installing or using it: (1) review the upstream repository/package code (https://github.com/mangonob/skills-weather or the npm package) to ensure it does what you expect; (2) if you install globally with npm/pnpm, be aware global installs place executables on your PATH; (3) protect your QWeather credentials — store the config file (~/.skills-weather-config.json) securely and do not paste keys into public places; (4) the registry bundle here has no code included, so the platform will not auto-install anything — you (or the system admin) must install the npm package to run the CLI.
- Findings
[no_code_in_bundle] expected: The regex scanner found no code to analyze because this registry entry is instruction-only. SKILL.md points to an npm package and a GitHub repo; review that upstream code before installing from npm.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: the skill is a weather CLI that calls QWeather. The SKILL.md declares network request permission and documents QWeather credentials (privateKey, appId, credentialId, apiHost), which are appropriate for this purpose. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- noteThe runtime instructions are narrowly scoped to installing and running a Node CLI and reading an optional config file (default ~/.skills-weather-config.json or SKILLS_WEATHER_CONFIG_FILE_PATH). They do not instruct reading other system files or exfiltrating data. Minor inconsistency: SKILL.md lists an entry (index.js) and npm install commands while the skill bundle provided here contains no code files; that likely means this registry entry is instruction-only and refers to a package hosted on npm/GitHub rather than including code in the bundle.
- Install Mechanism
- noteNo install spec in the registry bundle (lowest platform risk). The SKILL.md recommends global installation via npm/pnpm, which is normal for Node CLIs but means installing code from the public npm registry/repository (moderate trust required). If you plan to install, review the upstream repository (https://github.com/mangonob/skills-weather) before running npm install -g.
- Credentials
- okThe skill does not require platform environment variables. The documented configuration file holds QWeather secrets (privateKey, appId, credentialId) — these are proportional and expected for a third‑party weather API integration. The optional SKILLS_WEATHER_CONFIG_FILE_PATH env var is reasonable.
- Persistence & Privilege
- okThe skill is not forced-always and is user-invocable; model-autonomy is allowed (the platform default). The skill does not request persistent system-wide privileges or to modify other skills/configs.