和风天气查询功能
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a weather lookup skill, but users should notice that it handles QWeather credentials, can fall back to Open-Meteo with the queried location, and has incomplete setup metadata.
This skill is not showing evidence of malicious behavior, but before installing it you should confirm which QWeather credentials it needs, avoid sharing generated JWT output, and be comfortable with weather locations being sent to QWeather and possibly Open-Meteo. The publisher should also fix the metadata so dependencies, providers, and credential setup are clear.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the helper is run and its output is shared, someone could temporarily use the QWeather credential until the token expires.
This helper script prints a generated QWeather JWT if run. The token is short-lived and purpose-aligned, but it is still an account credential that could appear in logs or chat transcripts.
console.log("JWT TOKEN:");
console.log(token);Do not share logs containing generated JWTs, and ensure QWeather credential requirements are declared clearly before installation.
A location you ask about, or a configured default location, may be sent to Open-Meteo if the QWeather path fails or this helper is used.
The fallback path sends the queried or default location to Open-Meteo. This is weather-related, but SKILL.md describes QWeather and does not mention this fallback provider.
axios.get('https://geocoding-api.open-meteo.com/v1/search', {
params: { name: inputLoc },Disclose the Open-Meteo fallback in SKILL.md and allow users to opt out if they only want QWeather used.
The skill may fail at runtime or rely on dependencies that are not clearly declared during installation.
The provided source includes Node.js code that imports axios, so the lack of install/dependency declaration is a packaging and reproducibility gap rather than evidence of malicious behavior.
No install spec — this is an instruction-only skill.
Add an explicit install/dependency specification and declare required QWeather configuration or credentials.