Wind & Site
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it says—fetch wind data and create a wind-rose image—but it runs local Python scripts, installs common Python packages manually, and sends site coordinates to Open-Meteo.
This skill looks safe for normal wind and site-weather lookups. Before installing, be comfortable with it running local Python scripts, installing common Python packages, and sending requested site coordinates to Open-Meteo; use a separate Python environment if you want to limit dependency impact.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When asked for wind data, the agent may run the included Python scripts locally without asking again.
The skill authorizes shell execution and instructs the agent to run the included scripts directly for matching user requests. This is central to the skill's function and not hidden, but it is still a capability users should notice.
permissions: - shell:exec ... run the script directly with `exec` ... Do not ask for confirmation
Install only if you are comfortable with the agent running these bundled scripts for wind-data requests; avoid extending this permission to unrelated commands.
A future package update or compromised dependency could affect the local Python environment used by the skill.
The dependencies are listed without version pins. The setup instructions install them with pip, so the exact packages resolved depend on the Python package index at install time.
requests numpy matplotlib
Use a dedicated Python environment and consider pinning or reviewing dependency versions if you need stronger supply-chain control.
The latitude and longitude of the requested site are shared with Open-Meteo to retrieve wind data.
The script sends the user-provided site coordinates to the external Open-Meteo API. This is disclosed and necessary for the weather lookup, but it is still an external data flow.
url = "https://api.open-meteo.com/v1/forecast" ... "latitude": lat, "longitude": lon ... r = requests.get(url, params=params, timeout=15)
Avoid using highly sensitive private site coordinates if you do not want them sent to Open-Meteo.