QWeather City Weather
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: qweather-city-weather Version: 1.0.1 The skill is a legitimate tool for querying the QWeather API to retrieve city codes and real-time weather data. The core logic in `scripts/qweather_query.py` uses standard Python libraries for HTTP requests, implements proper input encoding with `urllib.parse.quote`, and handles API configuration via environment variables or command-line arguments. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the included script to perform weather lookups.
The skill is designed around running a local Python script. This is expected for the stated purpose, but users should understand that invoking the skill runs bundled code.
Use this skill primarily via the bundled script: - `scripts/qweather_query.py`
Use the skill only if you are comfortable with the bundled script being run for QWeather city and weather queries.
A QWeather API key is needed, and it will be sent to whatever QWEATHER_API_HOST or --api-host value is configured.
The script sends the provided QWeather API key as an HTTP header to the configured API host. This is expected for QWeather API access, but it is still credential use.
"X-QW-Api-Key": api_key
Set the API host only to an official/trusted QWeather endpoint and avoid exposing the API key in shared logs or prompts.