Env credential access
Critical
- Finding
- Environment variable access combined with network send.
AWEKAS Wetter API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to perform the advertised AWEKAS weather lookup, but users should know it uses an AWEKAS API key and a third-party fetch dependency.
This looks reasonable for a weather API skill. Install it if you are comfortable providing an AWEKAS API key to the AWEKAS endpoint, and verify the package/version if using it in a sensitive environment.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The user's AWEKAS API key will be used for requests to api.awekas.at.
Why it was flagged
The skill uses an AWEKAS API key from a command argument or environment variable and sends it to the AWEKAS API. This is purpose-aligned, but it is still a credential boundary users should understand.
Skill content
const apiKey = args.key || process.env.AWEKAS_KEY; ... url.searchParams.set("key", apiKey);Recommendation
Use a dedicated AWEKAS key if possible, avoid sharing it in prompts or logs, and revoke/rotate it if it is exposed.
What this means
Users may have less certainty about the exact dependency version or package version identity being installed.
Why it was flagged
The package uses a third-party dependency with a version range, and the submitted registry metadata lists version 1.0.0 while the included package/SKILL files list 2.0.0. This is a provenance/install hygiene note, not evidence of malicious behavior.
Skill content
"version": "2.0.0", ... "dependencies": { "node-fetch": "^3.3.2" }Recommendation
Verify the package source/version before installing in sensitive environments and prefer locked dependency versions where possible.