Back to skill
Skillv1.0.0
ClawScan security
Weather · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: it provides weather via wttr.in and Open-Meteo using curl, requires no credentials or installs, and the runtime instructions stay on-task (minor metadata mismatch noted).
- Guidance
- This skill uses curl to fetch weather from wttr.in and Open‑Meteo and does not request any keys or install software. Before installing: ensure you are comfortable with the agent making outbound HTTP requests (queries will include the location you ask for), confirm curl is available on the host if you want the one-liners to work, and note the small metadata mismatch (registry says no required binaries while SKILL.md lists curl). If you want to avoid network access or remote logging of queried locations, do not enable this skill or restrict the agent's network permissions.
Review Dimensions
- Purpose & Capability
- noteName/description claim 'no API key required' and the instructions call only to wttr.in and open-meteo (both free/no-key). However, SKILL.md metadata lists curl as a required binary while the registry metadata shows 'Required binaries: none' — a small inconsistency (curl is reasonably required for the documented usage).
- Instruction Scope
- okSKILL.md only instructs making HTTP requests to wttr.in and open-meteo and saving an optional PNG to /tmp; it does not instruct reading unrelated files, accessing credentials, or sending data to unexpected endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes disk footprint and is appropriate for a curl-based weather helper.
- Credentials
- okThe skill requests no environment variables or credentials, which is proportionate to its function. (curl availability is the only operational dependency.)
- Persistence & Privilege
- okalways:false and no special persistence requested. The skill can be invoked autonomously by the agent per platform defaults, but it does not request elevated or permanent privileges.