Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Locate Weather
v1.1.1定点天气预报 Skill。先通过 GPS、IP、WiFi、系统定位等多方法三角定位获取精确坐标, 再获取该位置的天气预报。支持手动指定坐标/城市、时间感知定位策略(根据时段自动选择最优定位方法)。 定位模块引用 multi-source-locate Skill,天气模块独立实现。 用于:"我这里的天气"、"定点...
⭐ 0· 90·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Functionally, a weather-at-location skill legitimately needs geolocation + weather API calls (wttr.in). However, the code dynamically imports a sibling dependency ../multi-source-locate/scripts/locate.py which is not included in the file manifest nor declared as a required dependency. That means the skill expects an external skill to be present on disk; this dependency should be declared and inspected before use.
Instruction Scope
SKILL.md and the scripts only describe using multiple location sources and calling wttr.in for weather — no instructions to read unrelated system files or exfiltrate secrets. But the runtime dynamically loads an external locate.py from a relative path (filesystem import), which means behavior depends on whatever code exists at that path; that allows arbitrary code execution from the filesystem if an attacker can place a malicious locate.py alongside this skill.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded or written during install. Code files are included in the package but there are no remote downloads or extracted archives in the manifest.
Credentials
No required environment variables are declared, which is consistent with the skill being usable without keys. SKILL.md mentions optional GOOGLE_GEOLOCATION_API_KEY and UNWIRED_API_KEY for WiFi geolocation; these are reasonable optional values but are not declared in the metadata. Confirm whether multi-source-locate will read other env vars or secrets before providing keys.
Persistence & Privilege
The skill does not request always:true, does not declare system config paths, and does not modify other skills. It runs on-demand and uses subprocess / network calls in normal ways for its purpose.
What to consider before installing
This skill mostly does what it says (triangulated geolocation → wttr.in weather). Key concerns to address before installing:
- Verify and review the external dependency: the code dynamically imports ../multi-source-locate/scripts/locate.py at runtime. That file is not in this package; ensure the multi-source-locate module you provide is the legitimate one and inspect its locate.py for any unexpected filesystem or network activity.
- Treat the sibling-directory import as potentially dangerous: if someone can place a crafted locate.py next to this skill, it will be executed with the agent's permissions. Only run this skill in environments where you control or have reviewed adjacent skill directories.
- Only set the optional GOOGLE_GEOLOCATION_API_KEY / UNWIRED_API_KEY if you trust the code; providing API keys grants external services access tied to those credentials.
- Tests and subprocess usage assume particular working directories; they may fail or behave unexpectedly in some runtimes — review tests before running in production.
If you can inspect the multi-source-locate code and confirm it only performs expected geolocation lookups (IP/gps/wifi queries) and does not read unrelated secrets or contact unknown endpoints, the skill is reasonable. If you cannot review that dependency, proceed cautiously (run in an isolated environment or do not provide API keys).Like a lobster shell, security has layers — review code before you run it.
latestvk97504p37nz0wqyj06x4r6kr9584n0vt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.