ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My Local Weather

v1.0.0

Provides real-time local weather, forecasts, alerts, and historical data with unit conversion, using a configurable API key for privacy-focused, fast access.

0· 110·0 current·0 all-time
by@zywss·fork of @steipete/weather (1.0.0)

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zywss/my-local-weather.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "My Local Weather" (zywss/my-local-weather) from ClawHub.
Skill page: https://clawhub.ai/zywss/my-local-weather
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install my-local-weather

ClawHub CLI

Package manager switcher

npx clawhub@latest install my-local-weather
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose (weather data via configurable API key) is reasonable, but the SKILL.md asks for a WEATHER_API_KEY and lists axios/dotenv as dependencies while the shipped package.json and code use only node-fetch and do not read any API key. Registry metadata also declares no required env vars. The capabilities claimed are achievable, but the packaging and docs are inconsistent with the code.
!
Instruction Scope
SKILL.md instructs the agent to use a provider API key (WEATHER_API_KEY), optionally load .env, and mentions axios/dotenv; index.js instead queries wttr.in and never accesses environment variables or dotenv. The instructions therefore ask the agent to handle secrets/config that the code does not use, increasing the chance a user will expose an API key unnecessarily.
Install Mechanism
There is no install spec (instruction-only style), but the package.json/lock are included and list node-fetch from a public npm mirror. No downloads from untrusted URLs or extract operations are present. The mismatch between declared (in SKILL.md) and actual dependencies is the main concern, not the install mechanism itself.
!
Credentials
SKILL.md requests WEATHER_API_KEY (and suggests .env usage) even though the code does not use any environment variables; registry metadata lists no required env. Requesting an API key would be proportionate for a weather skill, but here it is unnecessary and could lead users to supply secrets that the skill never needs — a red flag for possible mis-documentation or future unauthorized use.
Persistence & Privilege
The skill does not request elevated or persistent privileges: always:false, no config-paths, no special OS restrictions. It does not modify other skills or system-wide settings based on the provided files.
What to consider before installing
Do not install or provide API keys until these inconsistencies are resolved. Specific steps you can take: 1) Ask the publisher to explain why SKILL.md asks for WEATHER_API_KEY and lists axios/dotenv while the code uses wttr.in and node-fetch; request a corrected SKILL.md or updated code. 2) Verify the owner ID and source (ownerId in _meta.json differs from registry owner listed) and prefer skills with a known source/homepage. 3) If you still want to test it, run it in a sandboxed environment without supplying any real API keys or secrets. 4) If you intend to use an API key, confirm the code actually reads the environment variable and handles it securely before providing one.

Like a lobster shell, security has layers — review code before you run it.

latestvk9732redjgtcdays25ray868cn83eq9m
110downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@zywss
latest
Download

My Local Weather Skill

Description

A robust, local-first weather information skill for OpenClaw. This skill provides real-time weather forecasts, current conditions, and alerts by querying reliable meteorological APIs. It is designed to be fast, privacy-conscious, and highly configurable.

Capabilities

  • Current Weather: Retrieve temperature, humidity, wind speed, pressure, and visibility for any location.
  • Forecasts: Get hourly forecasts for the next 24 hours and daily forecasts for up to 7 days.
  • Weather Alerts: Fetch active severe weather warnings (storms, heatwaves, floods) for specific regions.
  • Historical Data: Access past weather data for analysis (optional, depending on API key).
  • Unit Conversion: Automatically handle conversions between Metric (Celsius, km/h) and Imperial (Fahrenheit, mph) units based on user preference or location.

Usage Examples

  • "What's the weather like in Tokyo right now?"
  • "Will it rain in London tomorrow morning?"
  • "Give me a 3-day forecast for New York City."
  • "Are there any storm warnings in Florida?"
  • "What is the humidity and wind speed in Berlin?"

Configuration

This skill requires an API key for the weather provider (e.g., OpenWeatherMap, WeatherAPI).

  1. Obtain an API key from your preferred provider.
  2. Set the environment variable WEATHER_API_KEY or configure it in your .env file within the skill directory.
  3. Optionally set WEATHER_UNITS to 'metric' or 'imperial'.

Technical Details

  • Runtime: Node.js
  • Dependencies: Axios (for HTTP requests), dotenv (for config)
  • Privacy: No user data is stored; all requests are proxied directly from the user's machine to the weather API.

Troubleshooting

  • If you see "API Key Missing", ensure WEATHER_API_KEY is set correctly.
  • If location lookup fails, try using city names instead of coordinates, or vice versa.

Comments

Loading comments...