Back to skill
Skillv1.0.4
ClawScan security
weather-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 1:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared environment variables, and runtime instructions are coherent with its stated purpose (automated weather-based trading) — but it executes real trades, so treat the SIMMER_API_KEY and autostart enabling with caution and test carefully in dry-run mode first.
- Guidance
- This skill appears to do what it says, but it executes real trades when run with --live or when you enable autostart. Before installing or enabling: (1) create a least-privilege SIMMER_API_KEY that cannot withdraw funds, (2) review the full source (weather_trader_enhanced.py and scripts/status.py) yourself or with someone who understands the code, (3) run dry runs first (no --live) and test scripts/status.py to confirm API access, (4) keep the .env file out of version control, and (5) do NOT enable autostart until you're confident with behavior — enabling requires editing metadata and will cause automated trades every 6 hours. If you install the optional tradejournal package, audit it first to ensure it doesn't transmit trade data to external services.
Review Dimensions
- Purpose & Capability
- okName/description, required env var (SIMMER_API_KEY), and the included code all match: the skill fetches NOAA forecasts, geocodes via Nominatim, and places trades via api.simmer.markets. No unrelated services or credentials are requested.
- Instruction Scope
- noteSKILL.md and scripts instruct running the Python scripts and creating a .env with SIMMER_API_KEY; instructions are limited to trading workflow. Important caveats: the skill places real trades automatically if you enable autostart, it writes/updates config.json in the skill folder, and there is no per-trade approval when autonomous mode is enabled — the documentation correctly warns about financial risk.
- Install Mechanism
- okThis is instruction-only with no installer; dependencies are minimal and optional (python-dotenv, optional tradejournal). No download/install URLs or archive extraction are present in the manifest.
- Credentials
- okOnly SIMMER_API_KEY is required (plus optional SIMMER_WEATHER_* overrides). No unrelated secrets, cloud credentials, or wallet private keys are required by the code. The SKILL.md notes legacy web3 env vars are unused.
- Persistence & Privilege
- okalways:false and autostart:false by default. The skill persists configuration to config.json in its own directory (expected). It does not request system-wide privileges or alter other skills' configs.