ClawHub

기상청 날씨 (KMA Weather Korea)

v2.2.0

KMA short-term forecast API - ultra-short-term observation/forecast, short-term forecast

0· 491·0 current·0 all-time
by김성우@sw326
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (KMA short-term forecast + AirKorea integration) align with the included scripts (weather.sh, morning_briefing.sh, grid_convert.py). However SKILL.md and code reference cross-skill integration (airkorea/notify) that are not provided here, and the package metadata declares no required credentials or binaries even though the scripts need an API key and tools (curl, jq, python3).
!
Instruction Scope
Runtime instructions and scripts call only public government APIs (data.go.kr / apis.data.go.kr) and produce local output, which is expected. But the morning_briefing.py fragment opens /home/scott/.config/data-go-kr/api_key (absolute path) instead of the documented ~/.config/data-go-kr/api_key — this is a leftover hardcoded path that will attempt to read another user's file if it exists or crash. The scripts also assume jq, curl, and python3 exist even though the skill metadata lists no required binaries.
Install Mechanism
No install spec (instruction-only) — low risk from arbitrary downloads. However the skill ships executable scripts that expect runtime tools (curl, jq, python3). Those required binaries are not declared in registry metadata, creating a coherence gap (user may not have them).
!
Credentials
The skill relies on a data.go.kr API key stored in a filesystem path (SKILL.md instructs ~/.config/data-go-kr/api_key). The registry declares no required env vars/credentials, so the key requirement is undocumented. The hardcoded /home/scott path in morning_briefing is particularly problematic: it could cause the skill to read another user's config if present. The number and scope of credentials requested is small (one API key) and appropriate for the stated purpose, but the way the key is accessed is inconsistent and concerning.
Persistence & Privilege
always:false and no install hooks — the skill is not force-included and does not request system-wide persistence. It can be invoked autonomously by the agent (platform default), but this is not combined with other high-risk flags.
What to consider before installing
This skill appears to implement exactly what it claims (KMA forecasts + AirKorea), but I recommend caution because of several inconsistencies before you install or enable it: - API key handling: SKILL.md says to store your data.go.kr key at ~/.config/data-go-kr/api_key, and weather.sh reads that path, but morning_briefing.py opens /home/scott/.config/data-go-kr/api_key (hardcoded). That is likely a developer leftover — either fix the script to use the documented path or ensure the file exists where the script expects it. Do not store keys in world-readable locations; set file permissions to restrict access (chmod 600). - Undeclared runtime dependencies: The scripts call curl, jq and python3. The registry lists no required binaries. Make sure your runtime has curl, jq, and python3 available, or modify the scripts to handle missing tools. - Undocumented credential requirement: The registry metadata lists no required env vars/credentials but the scripts require an API key file. Treat the API key as sensitive and confirm it's only used to call the listed government APIs. You can prefer using an environment variable or secure secret store instead of a file to avoid accidental exposure. - Hardcoded user path: The /home/scott path is suspicious (likely a leftover). Inspect and edit morning_briefing.sh/python to read the same path as weather.sh (~/.config/data-go-kr/api_key) or to accept the key via argument/ENV. Running the skill as-is could fail or unintentionally read another user's key if that path exists. - Cross-skill assumptions: The SKILL.md expects an AirKorea skill and a notify connector. If you don't have those, the integrated features will fail. Review scripts and test them locally in a safe environment before enabling agent-autonomous invocation. If you want to proceed: review and patch morning_briefing to remove the hardcoded /home/scott path, ensure proper file permissions, declare the required binaries/credentials in metadata, and consider switching to an environment variable or explicit configuration parameter for the API key. If you want, I can produce a patched morning_briefing.sh/python snippet that uses ~/.config/data-go-kr/api_key or accepts an environment variable.

Like a lobster shell, security has layers — review code before you run it.

kmavk97b4ryzpbb7zbjpxcq25szbwn81mgvrkoreavk97b4ryzpbb7zbjpxcq25szbwn81mgvrkoreanvk97b4ryzpbb7zbjpxcq25szbwn81mgvrlatestvk97b4ryzpbb7zbjpxcq25szbwn81mgvrweathervk97b4ryzpbb7zbjpxcq25szbwn81mgvr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments