ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weathercli

v0.1.0

Get current weather conditions and forecasts for any location worldwide. Returns structured data with temperature, humidity, wind, precipitation, and more. No API key required.

3· 2.3k·15 current·15 all-time
by@pjtf93
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim retrieving weather data aligns with the SKILL.md which documents a CLI that uses Open‑Meteo (no API key). The declared lack of required env vars/credentials matches the stated purpose.
Instruction Scope
Runtime instructions only tell the agent to call the local weathercli binary (with --json recommended) and how to interpret outputs; they do not instruct reading unrelated files, harvesting environment variables, or sending data to unexpected endpoints.
Install Mechanism
There is no automatic install spec in the registry (lowest risk). SKILL.md suggests installing via 'go install github.com/pjtf93/weathercli' or downloading releases from GitHub — a normal user-side install path but it requires trusting that third‑party GitHub repo/source and a networked build/install.
Credentials
The skill requests no environment variables, credentials, or config paths, consistent with using a free, no‑key API (Open‑Meteo).
Persistence & Privilege
always is false and the skill does not request persistent/system privileges. It can be invoked autonomously (platform default), which is expected for skills of this type.
Assessment
This appears coherent, but before installing: (1) verify the GitHub repository (pjtf93/weathercli) and read the source or release checksums to ensure the binary matches expectations; (2) prefer installing from a trusted package/release or build from source if you have concerns; (3) be aware 'go install' requires the Go toolchain and network access; (4) the skill uses Open‑Meteo (no API key) so no credentials are needed — verify that behavior in the source if you need higher assurance; (5) if you do not want the agent to call external binaries autonomously, disable autonomous invocation or avoid installing the CLI on hosts the agent can access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e5gfjxvge4f9qmr5tfb2cys7z29xe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments