ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tempest Weather

v1.0.0

Fetches live weather data from a WeatherFlow Tempest weather station and returns structured JSON with current conditions, wind, precipitation, and lightning....

0· 409·0 current·0 all-time
by@mogglemoss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Tempest weather data) match the files and operations: SKILL.md and scripts/fetch_tempest.py call the WeatherFlow Tempest REST endpoints and normalize observations. Required binaries (python3, optionally curl) and env vars (TEMPEST_TOKEN, TEMPEST_STATION_ID) are appropriate for this task.
Instruction Scope
Runtime instructions are narrowly scoped: check token/station env vars, call the documented Tempest REST endpoints, parse obs and return normalized JSON. Instructions and example curl/python snippets only reference the declared env vars and the documented WeatherFlow endpoints; they do not request unrelated files or credentials.
Install Mechanism
There is no install spec (instruction-only skill) and the included Python script is standalone. No remote download/extract steps are used. The only dependency is the well-known 'requests' Python package, which the script gracefully reports if missing.
Credentials
Only TEMPEST_TOKEN and TEMPEST_STATION_ID are required, which are the expected credentials for the Tempest API. The primary credential is TEMPEST_TOKEN. No unrelated secrets, config paths, or extra service tokens are requested.
Persistence & Privilege
Skill is not always-enabled (always:false) and is user-invocable. It does not request system-wide changes or other skills' configuration. Autonomous invocation is allowed (platform default) but does not combine with other red flags here.
Assessment
This skill appears coherent and only needs your Tempest Personal Access Token and station ID to function; it will make network requests to swd.weatherflow.com. Before installing, ensure you trust the token you provide (it's sensitive) and do not paste it into public places. The Python script requires the 'requests' package (pip install requests) or curl; follow SKILL.md guidance. Avoid configuring any automated high-frequency polling to prevent hitting rate limits—use the WebSocket API if you need real-time streaming. If you want extra assurance, inspect scripts/fetch_tempest.py locally (it's human-readable) before providing your token.

Like a lobster shell, security has layers — review code before you run it.

latestvk978prcq54f8t6a4gva4rgxr0x81sc2h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌤️ Clawdis
Binspython3
Any bincurl, python3
EnvTEMPEST_TOKEN, TEMPEST_STATION_ID
Primary envTEMPEST_TOKEN

Comments