Skillv1.0.0

ClawScan security

KnowAir Air Quality 明气空气质量 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 2:00 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with a Caiyun weather-API client: it needs a Caiyun API token and python3, calls the Caiyun API, and only reads a local token fallback; nothing in the package suggests unrelated or excessive access.
Guidance: This skill appears to be a straightforward Caiyun weather client. Before installing: 1) Confirm you trust the skill source (source/homepage are unknown). 2) Be aware it requires a Caiyun API token (CAIYUN_TOKEN); the script will also read ~/.config/knowair/token if the env var is not set—remove or secure any token file you don't want the skill to read. 3) The script makes network requests only to api.caiyunapp.com; if you need stronger isolation, run it in a sandbox. 4) If you expect automatic geocoding from city names, note the script requires explicit lng/lat (you or the agent must resolve names separately). If any of the above are unacceptable, do not install or provide your token.

Review Dimensions

Purpose & Capability: okName/description match the code and runtime instructions. The script implements hourly/daily forecasts using the Caiyun API and requires python3 and CAIYUN_TOKEN — both appropriate for this purpose. Note: the SKILL.md mentions resolving city names to coordinates but the included script requires explicit lng/lat inputs (geocoding is not implemented in the script). This is a minor documentation gap, not a functional mismatch.
Instruction Scope: okRuntime instructions only direct running the included Python script and presenting forecast output. The script makes HTTP GET requests to https://api.caiyunapp.com and prints JSON results. It reads only the CAIYUN_TOKEN environment variable (with a local fallback file) and does not reference other system credentials, unusual files, or external endpoints. Network access is required and explicitly declared.
Install Mechanism: okNo install spec (instruction-only) and included code is small and straightforward. Nothing is downloaded from arbitrary URLs or installed from untrusted package sources. Risk from installation is low.
Credentials: noteThe skill requires a single credential (CAIYUN_TOKEN), which is proportionate. However, the script falls back to reading ~/.config/knowair/token if the env var is absent; the registry metadata declared no required config paths, so this local-file access is not documented in the metadata. This is a minor inconsistency to be aware of.
Persistence & Privilege: okThe skill is not always-included and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is enabled by default (normal for skills) but not elevated.