Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cs Qweather Alert
v1.4.0和风天气查询工具集,支持实时天气查询和天气预警查询。当用户询问城市天气、气温、湿度、刮风下雨等天气状况,或需要查询预警时触发。
⭐ 0· 83·0 current·0 all-time
byChenfeng@savior1987
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (QWeather real-time weather and alerts) matches the code and scripts provided. However, the registry metadata claims no required environment variables/credentials while SKILL.md and the code actually require an API host (QWEATHER_API_HOST) and a JWT token (from --token or ~/.myjwtkey/last-token.dat). That metadata omission is an inconsistency and should be corrected.
Instruction Scope
Runtime instructions and code automatically load environment variables from ~/.openclaw/.env (dotenv.load_dotenv with override=True) and read a JWT token file at ~/.myjwtkey/last-token.dat if not provided. The scripts also log API request/response details to /tmp/cslog/*.log (response bodies up to 2000 chars) and persist city cache to scripts/data/location.json. These actions go beyond simply calling a weather API and touch local files that may contain secrets or PII.
Install Mechanism
No install spec or external downloads; this is instruction+script-only and uses only standard libs plus optional dotenv if present. No network-based installers or third-party package pulls were observed.
Credentials
The skill accesses sensitive local artifacts not declared in registry: ~/.openclaw/.env (auto-loaded) and ~/.myjwtkey/last-token.dat (token). It expects an Authorization Bearer JWT for QWeather. The registry listed no required env/credential; that mismatch and the automatic .env loading (override=True) are disproportionate and increase risk of unintentionally exposing local secrets.
Persistence & Privilege
The skill writes persistent artifacts: per-day logs under /tmp/cslog/ and updates scripts/data/location.json (city cache) in the skill directory. It does not set always:true, nor modify other skills or global agent configs. Still, it creates files on disk (including logs that contain API response bodies) which you may want to control or sandbox.
What to consider before installing
This skill implements expected weather/alert calls to a QWeather-style API, but the package metadata omitted required configuration and the scripts automatically read local secret files and write logs/caches. Before installing or running: 1) Confirm you trust the skill source (homepage is missing); 2) Expect to provide a QWEATHER_API_HOST and a JWT token (passed with --token or stored at ~/.myjwtkey/last-token.dat); 3) Be aware it will auto-load ~/.openclaw/.env (which may contain other secrets) — remove or sanitize that file if you don't want automatic loading; 4) Logs are written to /tmp/cslog and include API response bodies (masked token is logged but responses may contain PII) and the city cache is written to scripts/data/location.json; run in an isolated/sandboxed environment if possible; 5) Ask the publisher to update registry metadata to declare required env vars/credentials and to document logging behavior, or inspect and run the scripts manually rather than granting the agent autonomous invocation. If you cannot verify the token source or do not want local files read, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk978x8qpg8p3tc1y8fwc01strs84g0eg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.