ClawHub
Back to skill
v1.3.0

Google Weather

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:20 AM.

Analysis

The skill appears to be a straightforward Google Weather helper, but it uses local command execution, a Google API key, and sends requested locations to Google APIs.

GuidanceThis looks reasonable for a weather skill. Before installing, make sure you are comfortable providing a Google API key and sending queried locations to Google, and use a restricted API key with quotas where possible.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
allowed-tools: [exec]

The skill permits local command execution, which is used to run the bundled weather helper.

User impactThe agent can run the weather helper locally when using this skill.
RecommendationInstall only if you are comfortable with the agent invoking the included Python helper, and avoid asking it to run modified shell commands outside the documented examples.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
lib/weather_helper.py
self.api_key = os.getenv("GOOGLE_API_KEY") or os.getenv("GOOGLE_WEATHER_API_KEY") or os.getenv("GOOGLE_MAPS_API_KEY")

The helper reads Google API credentials from environment variables so it can call Google Weather and Maps APIs.

User impactThe skill can use the configured Google API key and may incur API usage or billing according to that key's permissions.
RecommendationUse a Google API key scoped to only the needed Weather and Geocoding APIs, with quota and billing limits where possible.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
lib/weather_helper.py
self.geocode_url = "https://maps.googleapis.com/maps/api/geocode/json"

The helper sends requested locations to Google's Geocoding API before calling the Weather API.

User impactLocations, addresses, landmarks, or coordinates you ask about may be shared with Google as part of the weather lookup.
RecommendationAvoid entering sensitive private addresses unless you are comfortable sending them to Google APIs.