ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

1asd1

v1.0.0

Get current weather, multi-day forecasts, clothing index, and feels-like temperature. No API key required. Use when a user wants to: (1) Check current weathe...

0· 75·0 current·0 all-time
by@kim1903

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kim1903/aaad123.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "1asd1" (kim1903/aaad123) from ClawHub.
Skill page: https://clawhub.ai/kim1903/aaad123
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install aaad123

ClawHub CLI

Package manager switcher

npx clawhub@latest install aaad123
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims 'No API key required' for weather data (which is true for wttr.in), but the SKILL.md and billing script require a SKILLPAY_API_KEY for monetization. Registry metadata lists no required env vars or primary credential, yet runtime instructions demand an API key. File/owner/slug/name mismatches exist (_meta.json, registry ownerId/slug, and SKILL.md names differ), which is incoherent with a single-author, single-purpose skill.
!
Instruction Scope
SKILL.md directs the agent to run a billing step (scripts/billing.py --charge --user-id <id>) before or alongside weather calls; that sends data to https://skillpay.me and requires an API key. Aside from contacting wttr.in for weather and skillpay.me for billing, the scripts do not read arbitrary local files or other environment variables. The surprising instruction to actively charge a user is outside a minimal 'weather' skill's scope and should be made explicit to end users/administrators.
Install Mechanism
There is no install spec or remote download; the skill is instruction-only with included Python scripts. No external archives, package installs, or unusual install locations are used.
!
Credentials
The code legitimately uses a single env var SKILLPAY_API_KEY for billing, which is proportional to the billing feature. However, the top-level skill metadata declares no required env vars while SKILL.md marks SKILLPAY_API_KEY as required. This mismatch obscures the secret access being requested and may trick users into supplying an API key without realizing it's required.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and makes no attempt to persist beyond its scripts. Autonomous invocation remains enabled (default) but is not combined with broad privileges.
What to consider before installing
This skill's weather functionality uses wttr.in and appears harmless, but it also includes a billing integration (SkillPay.me) that requires you to provide SKILLPAY_API_KEY and may charge users (0.001 USDT/call). Before installing or providing any API keys: (1) Confirm the skill's true publisher and provenance (ownerId/slug/name mismatches are present). (2) Confirm you are comfortable with the monetization flow — understand when the skill will call billing.py and whether your users will be charged. (3) Do not paste your SKILLPAY_API_KEY into an environment accessible to untrusted code unless you verify the payment provider and skill owner. (4) If you need only weather data, consider using a skill that does not include billing or ask the author to supply a version without billing code. If you want higher assurance, request the maintainer to fix the metadata to declare SKILLPAY_API_KEY explicitly and to explain the billing workflow and owner identity.

Like a lobster shell, security has layers — review code before you run it.

latestvk976j3ng92y13ftmyk5nn2n8r584zrke
75downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@kim1903
latest
Download

Weather Plus

Weather, forecasts, clothing index & feels-like temperature. No API key needed. 0.001 USDT/call.

Commands

CommandScriptDescription
weatherscripts/weather.pyCurrent weather + feels-like
forecastscripts/forecast.pyMulti-day forecast (up to 7 days)
clothingscripts/clothing.pyClothing/dressing index + recommendations
billingscripts/billing.pySkillPay charge/balance/payment

Workflow

1. Billing:   python3 scripts/billing.py --charge --user-id <id>
2. Weather:   python3 scripts/weather.py --city "Beijing"
3. Forecast:  python3 scripts/forecast.py --city "Shanghai" --days 5
4. Clothing:  python3 scripts/clothing.py --city "Chengdu"

Examples

# Current weather
python3 scripts/weather.py --city "New York"
python3 scripts/weather.py --city "成都"

# Multi-day forecast
python3 scripts/forecast.py --city "Tokyo" --days 7

# Clothing index
python3 scripts/clothing.py --city "Beijing"
python3 scripts/clothing.py --city "London"

Config

Env VarRequiredDescription
SKILLPAY_API_KEYYesSkillPay.me API key

References

See references/clothing-index.md for dressing recommendation methodology.

Comments

Loading comments...