Back to skill
Skillv1.0.0
ClawScan security
UAPI 查询天气 接口 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 4:48 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for a single UAPI weather endpoint and its requested resources and instructions are consistent with that purpose.
- Guidance
- This skill appears internally coherent and only documents calling the UAPI GET /misc/weather endpoint. Before installing, consider: (1) the skill has no homepage or publisher site listed — verify you trust the source if you will supply an API key; (2) network calls go to https://uapis.cn, so any location data or query parameters will be sent to that external service; avoid sending sensitive data in queries; (3) if you provide a UAPI Key, ensure it is stored and scoped appropriately and rotate it if you stop using the skill; (4) allow_implicit_invocation means the agent may auto-select this skill for relevant requests — if you prefer explicit control, disable implicit invocation in agent settings. Otherwise the skill's files and instructions align with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description: a single endpoint GET /misc/weather. Declared requirements: none. Files included are documentation and a small agent prompt. Nothing in the bundle asks for unrelated credentials, binaries, or system access.
- Instruction Scope
- okSKILL.md instructs the agent to read provided reference docs and call the GET /misc/weather endpoint, check params, and handle auth if required. It does not instruct reading arbitrary files, accessing unrelated env vars, or exfiltrating data. It does suggest obtaining a UAPI Key only if rate-limited, which is appropriate for this API.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files to execute; nothing will be downloaded or installed by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. The doc references an optional UAPI Key only for rate-limit/auth cases, which is proportional to calling a third‑party API.
- Persistence & Privilege
- notealways is false (normal). The agent interface enables implicit invocation (allow_implicit_invocation: true) which lets the agent select the skill when relevant — this is expected for skills but means the agent can call the endpoint autonomously when the user request matches.