Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
和风天气查询功能
v1.0.0天气查询:使用和风天气(JWT+Host)获取实时天气与未来预报;支持城市名/LocationID/经纬度;缺省地点可用 QWEATHER_DEFAULT_LOCATION。
⭐ 2· 2.3k·15 current·18 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code and SKILL.md implement weather lookups via QWeather (and fallbacks to Open-Meteo), which matches the declared purpose. However, the implementation expects a QWeather JWT flow (PROJECT_ID, CREDENTIALS_ID, PRIVATE_KEY_PATH, API_HOST) but the registry metadata lists no required env vars/credentials. That mismatch (hidden/undeclared credentials) is unexpected for a simple weather skill.
Instruction Scope
SKILL.md instructs the agent to use the bundled tools (location lookup, now, forecast) and references env vars such as QWEATHER_DEFAULT_LOCATION and QWEATHER_PRIVATE_KEY_PATH. The code reads a private key file (CONFIG.PRIVATE_KEY_PATH) from disk, signs JWTs, and calls external APIs. The instructions are not overly broad, but they rely on reading local key material and several environment variables that are not declared in the skill metadata — this expands the runtime surface without making that explicit.
Install Mechanism
There is no install spec and no downloads. The skill is instruction+code only and uses standard Node libraries (crypto, axios). No external installers or remote archives are used.
Credentials
The code requires private key material and QWeather credentials (PROJECT_ID, CREDENTIALS_ID, PRIVATE_KEY_PATH, API_HOST) to use the enterprise JWT-backed API, and also checks process.env.QWEATHER_FREE_API_KEY and QWEATHER_DEFAULT_LOCATION in fallback code. None of these are declared in the skill's required env/credential metadata. Additionally the repo includes lib/ed25519-private.txt which does not contain a key but an openssl command wrapped in PEM markers — its presence is unusual and could be a placeholder or a mistaken checked-in secret. Requiring private keys or API keys without declaring them is disproportionate and surprising to users.
Persistence & Privilege
always is false and there is no code that attempts to modify other skills or global agent settings. The skill does read files from its own package (the configured PRIVATE_KEY_PATH) but does not request persistent system privileges.
What to consider before installing
This skill mostly does what it says (weather lookups), but it expects enterprise-style JWT credentials and a private key while the registry metadata declares no required secrets. Before installing, ask the author to: 1) explicitly list required env vars and the primary credential in the registry (PROJECT_ID, CREDENTIALS_ID, QWEATHER_PRIVATE_KEY_PATH or QWEATHER_API_HOST); 2) remove any checked-in private key files (or confirm the file is only a harmless placeholder) and instead require the private key path be provided via a secure env var or secret store; 3) confirm the API_HOST and other config are not hard-coded placeholders; and 4) document why QWEATHER_FREE_API_KEY and QWEATHER_DEFAULT_LOCATION are needed. If you cannot verify those, avoid installing or running the skill with real credentials on sensitive systems.Like a lobster shell, security has layers — review code before you run it.
latestvk97306gh41992k8w51dmp6527d80kjr0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.