Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description promise (query current weather for a city) matches the included code and instructions. The code implements a local, randomized weather simulator and the SKILL.md describes the expected inputs/outputs. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md stays on-topic (describe when to call the tool, input/output schema). Static scan flagged unicode-control-chars in the SKILL.md (possible prompt-injection pattern). The file otherwise contains normal usage instructions and does not instruct reading system files, environment variables, or exfiltrating data.
Install Mechanism
No install spec is provided (instruction-only style). Only Python files are included and requirements.txt notes only standard library; nothing is downloaded or extracted from external URLs.
Credentials
The skill declares no required environment variables, no primary credential, and the code does not access environment variables or external services. The lack of secrets is proportionate to the stated purpose (a mock weather tool).
Persistence & Privilege
Flags show always=false and default autonomous invocation allowed (platform default). The skill does not request persistent system-wide changes or modify other skills' configuration.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters (zero-width / invisible characters), which triggered the scanner. This is not expected for a weather-skill's instructions; it is often benign (formatting or editor artifacts) but could be used in prompt-injection attempts. The rest of the skill's code and manifest do not show other signs of malicious behavior.
Assessment
This skill appears to be a simple, local weather simulator and is internally consistent: it requires no credentials and makes no external network calls. Two practical notes before installing/use: (1) SKILL.md triggered a unicode-control-chars alert — inspect the SKILL.md for invisible characters if you are concerned (they are often harmless formatting artifacts but can be used to manipulate models). (2) The code returns randomized, simulated weather — if you need real-time, authoritative weather data, update the tool to call a real weather API and add the necessary API key (and review that addition for appropriate scoping). Otherwise it is safe for testing and local use.Like a lobster shell, security has layers — review code before you run it.
latestvk97evtba4dr47s4m3a4w99z5td833fch
License
MIT-0
Free to use, modify, and redistribute. No attribution required.