Skillv1.0.0

ClawScan security

Weather Ultra · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 20, 2026, 11:33 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement weather and golden/blue-hour features as claimed, but it omits declaring required API keys and sources ~/.openclaw/.env (which executes arbitrary content), creating coherence and security concerns you should understand before installing.
Guidance: What to consider before installing: - The included script needs two API keys (WEATHERAPI_KEY and SUNSETHUE_KEY) but the skill metadata did not declare them — confirm you are asked to provide only those keys and that you trust the endpoints (weatherapi.com and api.sunsethue.com). - The script sources ~/.openclaw/.env (runs it as shell code). That means any commands in that file will be executed. Inspect the file before use and avoid placing unrelated secrets or commands there. Prefer providing just the two API keys in a safe, minimal file or environment rather than leaving a file with arbitrary content in ~/.openclaw/.env. - The script embeds API keys in GET query strings; this can expose keys in logs or network traces. If you must use keys, consider using a dedicated key with limited scope or ask the maintainer to use POST or Authorization headers. - The script assumes curl and jq are installed but the skill did not declare these dependencies; install them or request the author to declare requirements. If you are not comfortable: do not install or run the script until the author updates the skill metadata to declare required env vars, removes unsafe 'source' behavior (or documents it clearly), and documents dependencies. If you proceed, review ~/.openclaw/.env contents and limit the provided API keys to only what is needed.

Review Dimensions

Purpose & Capability: concernThe script performs weather and sunrise/sunset/quality queries (WeatherAPI and sunsethue) which match the skill's description. However the skill metadata declared no required environment variables or credentials while the script expects WEATHERAPI_KEY and SUNSETHUE_KEY — an incoherence between claimed requirements and actual needs.
Instruction Scope: concernThe runtime script sources ~/.openclaw/.env if present (using shell source), which executes any code in that file rather than just reading key/value pairs. That grants the skill the ability to run arbitrary commands from a user file without explicit declaration. Otherwise the script's network calls go only to weatherapi.com and api.sunsethue.com which are consistent with purpose.
Install Mechanism: noteThis is instruction-only with a bundled shell script (no installer). The script assumes presence of curl and jq but the registry lists no required binaries; missing these will cause runtime errors. No downloads or external install URLs are used.
Credentials: concernThe script relies on two API keys (WEATHERAPI_KEY and SUNSETHUE_KEY) which are proportional to the functionality, but they are not declared in the skill metadata. More importantly, sourcing ~/.openclaw/.env may expose unrelated secrets or execute arbitrary content — a disproportionate access pattern relative to the stated purpose.
Persistence & Privilege: okThe skill does not request persistent/autonomous elevation (always:false) and does not modify system or other skills' config. It runs as an on-demand script, so persistence/privilege level is appropriate.