ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Iqs Weather Query

v0.0.1-beta.1

7-day weather forecast query powered by Alibaba Cloud IQS web search and page reading. Triggers: "weather forecast", "7-day weather", "weekly weather", "weat...

0· 56·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included script: it queries Alibaba Cloud IQS (UnifiedSearch + ReadPage) to return weather data. That capability reasonably requires an ALIYUN_IQS_API_KEY and access to the IQS endpoints. However, the registry metadata claims "Required env vars: none" while SKILL.md and the script both require/read ALIYUN_IQS_API_KEY (and may read ~/.alibabacloud/iqs/env). This mismatch is inconsistent and should be clarified.
!
Instruction Scope
SKILL.md and the script stay mostly within weather-query scope (search, read, parse). However the bundle explicitly includes an "evolveHint" that asks the agent to analyze rawText and produce a new parser function and register it in scripts/weather.mjs. That guidance effectively instructs the agent to create or modify code within the skill bundle (or at least to propose code to be inserted). This expands the skill's runtime authority and could lead to the agent being asked to write/execute code beyond simple queries. The instructions also reference reading the user's home config file (~/.alibabacloud/iqs/env) — which is relevant for an API key but is an additional filesystem access to be aware of.
Install Mechanism
No install spec is provided (no downloads or package installs). The skill includes a Node.js script (requires Node.js >= 18). There is no external install URL or archive; risk from install mechanism is low. The presence of an included .mjs script means code will run locally when invoked.
Credentials
The script only needs the ALIYUN_IQS_API_KEY (from process.env or ~/.alibabacloud/iqs/env) to call Alibaba IQS endpoints, which is proportionate to the stated purpose. The discrepancy is that the registry metadata lists no required env vars while SKILL.md and scripts do require an API key — this omission is a red flag for sloppy metadata or accidental under-declaration; verify the key requirement before use. No other credentials or unrelated environment variables are referenced.
Persistence & Privilege
The skill does not request always:true and does not declare any system-level persistence. However the skill's 'self-improve' guidance encourages adding parser functions into scripts/weather.mjs (i.e., modifying the skill's files). While editing its own parser registry could be legitimate for maintenance, it effectively allows evolution of executable code and should be treated as elevated behavior: only allow if you trust the source and review proposed changes before applying them.
What to consider before installing
This skill implements a plausible Alibaba Cloud IQS-based weather lookup and requires an ALIYUN_IQS_API_KEY (the script reads process.env and ~/.alibabacloud/iqs/env), but the registry metadata does not declare that env var — confirm the key requirement before installing. Review the bundled scripts/weather.mjs yourself: the code calls cloud-iqs.aliyuncs.com and contains site-specific parsers. Pay special attention to the "evolve" behavior: the skill encourages producing new parser code and registering it in the shipped file; do not automatically accept or run code-generation that rewrites files without manual review. If you will provide the API key, consider running the skill in a constrained environment (container or isolated account) and only enable autonomous invocation if you trust the publisher. If you need higher confidence, ask the publisher for a provenance/source repository and updated metadata declaring ALIYUN_IQS_API_KEY, or request that the evolve/self-modification capability be removed or only exposed as a manual developer instruction.
scripts/weather.mjs:30
Environment variable access combined with network send.
!
scripts/weather.mjs:40
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972jmvfff9s1mak2nygcne86584gmv4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments