ClawHub

Cs Qweather Alert

Security checks across malware telemetry and agentic risk

Overview

This weather skill’s local token, configuration, network calls, logs, and city cache are disclosed and fit its QWeather lookup purpose, but users should use a dedicated token and trusted API host.

Install only if you are comfortable with the skill contacting the configured QWeather API host, reading QWeather settings from ~/.openclaw/.env, and using a JWT from --token or ~/.myjwtkey/last-token.dat. Prefer a dedicated QWeather token, verify the host is an official/trusted HTTPS QWeather endpoint, and clear /tmp/cslog or scripts/data/location.json if queried locations are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The utility silently sources a JWT token from ~/.myjwtkey/last-token.dat, which expands the skill's access to unrelated local credentials beyond the stated weather-query purpose. In an agent setting, this creates an implicit credential-use path that could send privileged tokens to a remote host if host configuration is altered or compromised.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
Loading ~/.openclaw/.env at import time broadens the skill's access to user-local configuration and secrets not required for basic weather functionality. Because override=True is used, values from that file can silently replace existing environment variables and influence outbound requests or credential selection.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill automatically loads configuration from ~/.openclaw/.env with override enabled and reads a JWT token from ~/.myjwtkey/last-token.dat by default. Reading secrets from fixed host-local paths without prominent warning and explicit opt-in can unintentionally exfiltrate or misuse sensitive credentials, especially in agent environments where users may not expect a weather skill to access unrelated local authentication material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads a JWT token from a local credential file without explicit user consent or a clear warning that local secrets will be consumed. In an agent environment, that behavior can unexpectedly repurpose an unrelated bearer token for network requests, creating credential exposure risk and violating least surprise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal