Cs Qweather Jwtgen

This skill's code does what it says (generates EdDSA JWTs for 和风天气) and writes the token to ~/.myjwtkey/last-token.dat, but there are a few red flags to consider before installing: - Confirm required inputs: The registry metadata lists no required env vars, but the SKILL.md and script require QWEATHER_SUB and QWEATHER_KID. Make sure you know and trust where you'll provide these values. - Inspect ~/.openclaw/.env: The script attempts to auto-load that file (dotenv with override=True). That may overwrite process env vars and can contain other secrets. Review its contents before allowing the skill to run. - Verify private key location and permissions: The script expects your Ed25519 private key at ~/.myjwtkey/ed25519-private.pem and will read it. Ensure the file is the key you intend to use and has safe permissions (the script sets token file to 600 but you should confirm the private key file is protected). - Run in an isolated environment first: If you are unsure, run the script in a test account or sandbox so you can verify behavior (no network calls are present, but it will read/write local files). - Dependency hygiene: Install pyjwt from a trusted source and avoid untrusted forks. The script optionally uses python-dotenv; if you install that, ensure it's from PyPI. If you require more assurance, ask the skill author to update registry metadata to declare QWEATHER_SUB and QWEATHER_KID as required and to document explicit file path usage, or request a signed/verified source URL and owner provenance before trusting the skill.