Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
WeatherPanel Note AI PC
v1.0.2WeatherPanel Note AI PC for Shanghai weather. This skill fetches current weather from Open-Meteo, summarizes the overall conditions with a local LLM through...
⭐ 0· 93·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the code: fetch_weather.py calls Open‑Meteo, summarize_weather.py calls a local 'summarize' CLI, dashboard.html is copied to a local Canvas path, and flush_to_obsidian.py appends to an Obsidian note. No unrelated cloud credentials, unrelated binaries, or extraneous capabilities are requested.
Instruction Scope
Runtime instructions are limited to running the bundled Python pipeline and writing only into the user's Canvas and state directories and an Obsidian note. One notable implementation detail: summarize_weather.py launches the summarize CLI with shell=True (it builds a quoted command string) which increases risk if SUMMARIZE_BIN is malicious or contains shell metacharacters; SUMMARIZE_BIN can be overridden via environment or the allowlisted config file. The skill otherwise respects the stated limits (does not read generic secret files and uses an allowlist for config keys).
Install Mechanism
No install spec or remote downloads are present; the skill is instruction + local Python scripts only. Nothing is fetched or executed from arbitrary URLs by the skill itself.
Credentials
The skill declares no required environment variables and the env_loader only populates a small allowlisted set from a user-side config JSON. Allowed keys are non-secret (paths, binary names, coordinates, base URL). The code uses standard HOME/USERPROFILE and optional HTTP_PROXY/HTTPS_PROXY—expected for a network client.
Persistence & Privilege
The skill does not request 'always: true' or any elevated/automatic persistence. It writes state and canvas files under ~/.openclaw/state and the user's Canvas/Obsidian locations (expected for its function) and does not modify global OpenClaw config or system startup settings.
Assessment
This skill appears to do what it says: fetch Open‑Meteo data, summarize via a local summarize CLI, update a local dashboard, and append to an Obsidian note. Before installing or running it, consider: 1) The skill will write files under ~/.openclaw/state and your Canvas directory and will append to the configured Obsidian note — verify OBISIDIAN_VAULT/NOTE_PATH to avoid unwanted writes. 2) The summarization step invokes an external binary named by SUMMARIZE_BIN (default 'summarize') using shell=True; ensure that the summarize binary on your PATH (or any override you set in the allowlisted config) is the trusted implementation you expect. 3) The Obsidian flush step calls an external obsidian-cli; ensure that binary is trusted. 4) If you are concerned about injection via SUMMARIZE_BIN overrides, run the pipeline with a controlled SUMMARIZE_BIN pointing to a known executable, or inspect/lock the config file at ~/.openclaw/state/weatherpanel_note_aipc/config.json. 5) If you want extra safety, run the scripts in a restricted environment or inspect the bundled files (they are included) before use.Like a lobster shell, security has layers — review code before you run it.
latestvk976k14jkvat2ewn7svsk6zaf58386vq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🌤️ Clawdis