ClawHub

WeatherKit

v1.0.0

Access Apple WeatherKit REST API for detailed weather forecasts using JWT authentication.

2· 1.2k·2 current·3 all-time
by@jimmcq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (WeatherKit REST API access) align with what the skill requires and does: it needs Apple developer identifiers and a local .p8 private key, generates a JWT, and calls weatherkit.apple.com. The requested env vars (APPLE_TEAM_ID, APPLE_KEY_ID, APPLE_WEATHERKIT_KEY_PATH, APPLE_SERVICE_ID) are exactly what WeatherKit JWT auth requires.
Instruction Scope
Runtime instructions and the Python code stay within the stated purpose (generate a JWT from the provided private key and call Apple WeatherKit). However, the script prints debug information to stderr (full request URL and raw response text) and echoes response bodies on errors; these debug prints could expose sensitive response content in logs. The script reads only the declared env vars and the provided private key file path; it does not access unrelated files or external endpoints beyond weatherkit.apple.com.
Install Mechanism
There is no install spec (instruction-only + a bundled Python file), so nothing is downloaded at install time. The only external libraries used are jwt (PyJWT) and requests; the skill does not provide an install step or pin package sources. This is low risk but note: the runtime environment must provide those Python packages.
Credentials
The environment variables requested are proportional and directly required for WeatherKit JWT authentication. The single file read (APPLE_WEATHERKIT_KEY_PATH -> .p8 private key) is expected. Users should be aware that providing the private key path grants the script access to that private key file, so file permissions and environment exposure matter.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It runs on-demand and requires no privileged persistence.
Assessment
This skill appears to do exactly what it claims: generate a JWT from your Apple developer credentials and call Apple WeatherKit. Before installing, verify the skill source (registry shows 'Source: unknown'), and ensure you store the .p8 private key securely and only grant the skill access to a minimal-permission file path. Note the bundled script prints debug output (request URL and raw responses) to stderr — consider removing or disabling those debug prints if you don't want responses or request details to appear in logs. Also ensure your runtime provides trusted versions of the Python dependencies (PyJWT and requests). If you need higher assurance, run the script in an isolated environment (container) and rotate any exposed keys after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk979sswy65yx29nv2d91275ejx80q6t2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌤️ Clawdis
EnvAPPLE_TEAM_ID, APPLE_KEY_ID, APPLE_WEATHERKIT_KEY_PATH, APPLE_SERVICE_ID

Comments