Skillv1.0.0

ClawScan security

KnowAir Historical 明气历史天气 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 1:59 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested environment access match its stated purpose (fetching historical Caiyun weather) and do not request unrelated credentials or perform unexpected actions.
Guidance: This skill appears to do exactly what it says: call the Caiyun Weather API and format recent historical data. Before installing, be aware that you must provide a CAIYUN_TOKEN (sensitive API token) either as the CAIYUN_TOKEN environment variable or in ~/.config/knowair/token; only provide a token you trust to this skill. Ensure your environment allows outbound HTTPS to api.caiyunapp.com and that the token is from Caiyun. If you have concerns, inspect the included scripts yourself (they are small and human-readable) before use.

Purpose & Capability: okName/description match the included Python script and required CAIYUN_TOKEN; requiring python3 and an API token is appropriate for querying Caiyun's historical weather API.
Instruction Scope: okSKILL.md and the script are scoped to resolving coordinates, reading the token (env or ~/.config/knowair/token), calling the Caiyun API, formatting results, and printing JSON. It does not access other system files or external endpoints beyond the Caiyun API.
Install Mechanism: okNo install spec (instruction-only) and a single Python script; nothing is downloaded or written during install, so install risk is minimal.
Credentials: okOnly a single credential (CAIYUN_TOKEN) is required, which is appropriate for the external API. The script also optionally reads a local token file as documented; no other env vars or secrets are accessed.
Persistence & Privilege: okSkill is not always-enabled and does not modify other skills or system configuration. It runs on demand and does not request elevated persistence.