ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weather NWS

v1.0.3

US weather forecasts via National Weather Service (NWS) with automatic fallback to global weather for non-US locations. Provides detailed accumulation data,...

2· 670·1 current·1 all-time
byHiren Patel@patelhiren
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (NWS weather with global fallback) matches the behavior: geocoding, NWS API calls for US coordinates, wttr.in fallback for non-US, and optional AirNow AQI. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
SKILL.md instructs running the bundled Python script and optionally providing AIRNOW_API_KEY. The runtime instructions and examples are narrowly scoped to weather queries. The script (as shown) performs only network calls to geocoding (Nominatim), NWS (api.weather.gov), wttr.in, and likely AirNow; it does not instruct reading unrelated local files or exfiltrating data to unknown endpoints.
Install Mechanism
No install spec is present (instruction-only plus a local script). That is low-risk from an installation perspective; the skill will run the included Python script directly (requires Python on PATH).
Credentials
Only one optional environment variable (AIRNOW_API_KEY) is declared and documented in SKILL.md for optional AQI functionality. No other secrets or config paths are requested, which is proportionate to the stated functionality.
Persistence & Privilege
The skill does not request always: true and is user-invocable only. It does suggest storing AIRNOW_API_KEY in OpenClaw config as an option (normal for persistent credentials). It does not modify system-wide settings or other skills.
Assessment
This skill appears to do what it says: it geocodes the user-provided location, calls NWS for US locations, falls back to wttr.in for others, and optionally queries AirNow when you supply AIRNOW_API_KEY. Before installing or running: 1) review the full scripts/get_weather.py file (the prompt contained a truncated excerpt) to confirm there are no hidden endpoints or obfuscated code; 2) be aware the script will send location strings to external services (Nominatim, api.weather.gov, wttr.in, and optionally AirNow) — if you need to keep location queries private, avoid running the script or run it in an environment you control; 3) supply only the optional AIRNOW_API_KEY if you trust the skill and the platform; 4) watch for rate limits and respect Nominatim/NWS usage policies (the code already sets a User-Agent). If you want, I can re-check the complete get_weather.py file line-by-line for any hidden behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk977pfx3v2cvezrk5t04ywxmq9826m5s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
AIRNOW_API_KEYoptionalAirNow API Key for AQI lookup

Comments