Weather Advisor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears non-malicious, but its code does not fetch real weather despite advertising real-time weather advice, and it stores query arguments locally.
Review this skill carefully before installing. It does not currently provide real weather data, so do not rely on it for safety, travel, or alert decisions. If you run it, avoid entering sensitive location or activity details unless you are comfortable with them being saved locally.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could produce weather, clothing, or travel recommendations that appear data-backed but are not actually based on current conditions.
The implementation records arguments and returns completion/reference links, with no weather API request or weather fields. This conflicts with SKILL.md's claim of `实时天气查询、未来7天预报` and may cause users to trust advice that is not based on live weather data.
"input": " ".join(args) if args else "", "status": "completed" ... "message": "now完成" ... "reference_urls": REF_URLS[:3]
Do not rely on this skill for live weather until it implements a trusted weather data source and clearly reports source, timestamp, and unavailable fields.
Cities, activities, or travel-related query details may remain on disk after use.
Each command appends a record containing the raw input arguments to a persistent local JSON file. This is local and scoped, but weather queries can reveal location or activity plans.
DATA_DIR = os.path.join(..., "..", "data") ... data["records"].append(record) ... save_data(data)
Avoid putting sensitive personal details in command arguments, and delete the generated data file if you do not want query history retained.
Installing an unused dependency adds avoidable package supply-chain exposure.
The setup step asks for an unpinned package install. This is disclosed and normally purpose-aligned for weather APIs, but the reviewed script does not import or use `requests`, making the dependency unnecessary in the provided version.
pip install requests
Remove the dependency if unused, or pin and document it if future versions actually call a weather API.
Users may be uncertain whether an API key or other credential is required or how it would be handled.
The capability signal suggests sensitive credentials may be needed, while the registry metadata lists no required env vars or primary credential and the included code shows no credential access. This is a contract inconsistency, not evidence of credential misuse.
requires-sensitive-credentials
Do not provide credentials unless a future version clearly declares the exact credential, scope, storage, and use.