OpenWeather CLI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent weather CLI helper, with the main cautions being that it installs code from a GitHub repository and uses an OpenWeather API key.
Before installing, make sure you trust the GitHub repository or pin a reviewed commit. Keep OPENWEATHER_API_KEY private, avoid sharing debug logs that might contain request details, and do not install into protected system directories unless you have reviewed the source.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing from the live repository means changes in that repository could affect what gets installed.
The recommended install builds code from a remote GitHub repository without a pinned commit or included reviewed source. This is normal for a CLI install, but users should verify the source they are installing.
git clone https://github.com/ParinLL/OpenWeatherMap-script.git ... go install .
Review the repository before installing, use a trusted tag or commit when possible, and avoid privileged installation unless necessary.
The CLI will need access to the user's OpenWeatherMap API key, which should not be shared in logs, chat, or screenshots.
The skill requires an OpenWeatherMap API credential and explicitly treats it as sensitive. This is expected for the stated weather API purpose.
export OPENWEATHER_API_KEY="your-api-key" ... Never expose full API keys in outputs
Use a dedicated OpenWeather API key if possible, keep it in environment variables or a secure secret store, and redact it from troubleshooting output.