Skillv1.0.0

ClawScan security

Weather Broadcast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 15, 2026, 9:48 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are consistent with a weather-to-TTS workflow using SenseAudio; nothing requested is disproportionate, though there is a small documentation/instruction mismatch to fix before use.
Guidance: This skill is internally coherent for producing weather broadcasts via SenseAudio, but check a couple of things before installing/running: 1) The bash example uses xxd to convert hex to audio but xxd is not listed in required binaries — install xxd (or change the script to use base64 if the API returns base64) to avoid runtime errors. 2) Confirm the SenseAudio endpoint and response format match your account/docs (the examples expect hex-encoded audio at .data.audio); update decoding accordingly. 3) Only your SENSEAUDIO_API_KEY is needed; keep that key private and review SenseAudio's privacy/usage policy because audio/text data will be sent to that service. 4) The skill calls public weather services (wttr.in/open-meteo), so be aware those network requests transmit the queried location. If you need offline or private data handling, modify the workflow. Overall the footprint is small and proportional, but verify the minor example mismatches before use.

Purpose & Capability: okName/description (fetch weather + generate TTS) match what the SKILL.md instructs: it fetches data from wttr.in/open-meteo and calls SenseAudio TTS. The only requested credential is SENSEAUDIO_API_KEY which is appropriate for the described TTS integration.
Instruction Scope: noteRuntime steps stay within the stated purpose (fetch weather, generate broadcast, save audio). They call public weather APIs (wttr.in, open-meteo) and SenseAudio's API. Minor inconsistency: the bash example uses xxd -r -p to convert hex to binary but xxd is not listed in required binaries; the examples assume the API returns hex-encoded audio in .data.audio (the Python example decodes hex too). Otherwise instructions do not read unrelated files or other environment variables.
Install Mechanism: okInstruction-only skill with no install spec; nothing will be written to disk by the installer. This is the lowest-risk install model.
Credentials: okOnly SENSEAUDIO_API_KEY is required and is directly used to call the SenseAudio endpoint. No unrelated credentials, config paths, or broad secret access are requested.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not ask to modify other skills or system-wide settings.