ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Croatia Weather

v1.0.0

Swiss-army knife for Croatian weather — 27 commands covering current conditions, forecasts (7-day, 3-day, 3-hourly, regional, outlook), warnings (CAP, heat/c...

0· 75·0 current·0 all-time
byJakov Nikolić@nikolicjakov
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: a Python 3 CLI that fetches DHMZ and related Croatian meteorological XML feeds. Required binary (python3) and optional env vars (home station aliases) are proportional and expected.
Instruction Scope
SKILL.md instructs the agent to run the included dhmz.py script and to optionally read environment variables for home stations — all within scope. However, the SKILL.md triggered a 'unicode-control-chars' prompt-injection detector (invisible characters can be used to manipulate agent parsing). Inspect the raw SKILL.md for hidden control characters before trusting it.
Install Mechanism
No install spec; skill is delivered as files (README, SKILL.md, Python script, references). This is low-risk compared with remote downloads or package installs. The Python script uses only stdlib and fetches public XML URLs — no external installers or archives.
Credentials
The skill does not require secrets or unrelated environment variables. Only optional DHMZ_HOME_* variables (for home station configuration) are used, which are reasonable for this functionality.
Persistence & Privilege
Skill does not request always:true and is user-invocable only. It does not declare any system-wide config changes or privilege escalation. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contains invisible Unicode control characters flagged by the scanner. These are not necessary for a weather skill and can be used to hide or manipulate instructions. Recommend inspecting the raw file (hex view) and removing any unexpected control chars.
What to consider before installing
This skill appears to do what it says: a Python CLI that pulls public DHMZ/prognoza/vrijeme/klima/hidro XML feeds. Before installing: (1) inspect the raw SKILL.md for invisible Unicode control characters (the scanner flagged these) and remove them if present, (2) read scripts/dhmz.py yourself (it fetches many public URLs — expected) and run it in a sandboxed agent or separate environment first, (3) verify the feed URLs are legitimate (they appear to be official Croatian domains), and (4) be aware the included Python script may contain minor bugs (truncated snippet shows a likely typo) — test commands manually to confirm behavior. If you lack the ability to inspect files, treat this as potentially risky and avoid granting it autonomous privileges until a manual review is done.

Like a lobster shell, security has layers — review code before you run it.

latestvk973c71swh94awsbn4x0cgnshs8413j2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌦️ Clawdis
Binspython3

Comments