ClawHub
Back to skill
v1.1.1

Wind & Site

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:54 AM.

Analysis

The skill appears to do what it says—fetch wind data and create a wind-rose image—but it runs local Python scripts, installs common Python packages manually, and sends site coordinates to Open-Meteo.

GuidanceThis skill looks safe for normal wind and site-weather lookups. Before installing, be comfortable with it running local Python scripts, installing common Python packages, and sending requested site coordinates to Open-Meteo; use a separate Python environment if you want to limit dependency impact.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
permissions:
  - shell:exec ... run the script directly with `exec` ... Do not ask for confirmation

The skill authorizes shell execution and instructs the agent to run the included scripts directly for matching user requests. This is central to the skill's function and not hidden, but it is still a capability users should notice.

User impactWhen asked for wind data, the agent may run the included Python scripts locally without asking again.
RecommendationInstall only if you are comfortable with the agent running these bundled scripts for wind-data requests; avoid extending this permission to unrelated commands.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
requirements.txt
requests
numpy
matplotlib

The dependencies are listed without version pins. The setup instructions install them with pip, so the exact packages resolved depend on the Python package index at install time.

User impactA future package update or compromised dependency could affect the local Python environment used by the skill.
RecommendationUse a dedicated Python environment and consider pinning or reviewing dependency versions if you need stronger supply-chain control.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/wind_info.py
url = "https://api.open-meteo.com/v1/forecast" ... "latitude": lat, "longitude": lon ... r = requests.get(url, params=params, timeout=15)

The script sends the user-provided site coordinates to the external Open-Meteo API. This is disclosed and necessary for the weather lookup, but it is still an external data flow.

User impactThe latitude and longitude of the requested site are shared with Open-Meteo to retrieve wind data.
RecommendationAvoid using highly sensitive private site coordinates if you do not want them sent to Open-Meteo.