Back to skill
Skillv1.0.2
ClawScan security
weather · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 11:19 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it runs a local Python script that queries the Open‑Meteo geocoding and weather APIs and does not request unrelated credentials or system access.
- Guidance
- This skill appears to do what it says: it runs a local Python script that queries Open‑Meteo services for geocoding and current-weather data and does not request credentials or access other system data. Things to keep in mind before installing: 1) the script makes outbound HTTPS requests to geocoding-api.open-meteo.com and api.open-meteo.com (your city queries are sent to those services); 2) it requires the Python 'requests' package — the script will prompt you to install it if absent; and 3) the skill has no published homepage and the source is listed as 'unknown' (not a security problem by itself, but if you require an auditable origin you may want a skill with a known repository or publisher). If those network calls and the lack of a published source are acceptable, the skill is coherent and low risk.
Review Dimensions
- Purpose & Capability
- okName/description (weather lookup) match the implementation. The included script performs geocoding and current-weather queries and contains built-in city coordinates and matching logic appropriate for a weather skill.
- Instruction Scope
- okSKILL.md instructs the agent to run scripts/weather.py with the city argument. The runtime behavior is limited to parsing input, resolving a city (local dictionary + Open‑Meteo geocoding), and calling Open‑Meteo's forecast API to retrieve current weather. The instructions do not access unrelated files, environment variables, or external endpoints beyond the weather/geocoding APIs.
- Install Mechanism
- noteThere is no install spec (instruction-only), which reduces risk. The script requires the Python 'requests' library; if missing it prints pip install instructions and exits. The skill does not automatically fetch arbitrary code or download executables.
- Credentials
- okThe skill requests no environment variables, secrets, or config paths. Its external network calls are limited to Open‑Meteo endpoints (geocoding-api.open-meteo.com and api.open-meteo.com), which are appropriate and proportional for a weather lookup tool.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system configuration. It does not request persistent privileges or system-wide changes.