Skillv1.0.0

ClawScan security

weather-mcp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 1:15 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behavior are internally consistent with a weather-query helper that shows how to call an MCP SSE endpoint and parse results; it requests no credentials, installs nothing, and limits itself to constructing requests and parsing SSE responses.
Guidance: This skill is coherent and low-friction, but check the endpoint before use: it points to a third-party dev host (api-dev.ljyd.cn). If you don't trust that host, or you intended to use an internal MCP, update the URL to your official service. The skill does not request secrets, and it sensibly instructs the agent to provide runnable curl/code examples rather than pretending it can always reach your local MCP. If you plan to let the agent call the public endpoint automatically, be aware the request may include location information — avoid sending precise personal coordinates unless you trust the service. Finally, if you have official MCP API docs, consider replacing the abstract request/response shapes in the SKILL with the real schema to avoid parsing errors.

Purpose & Capability: okThe name/description match the SKILL.md: it explains how to query a specific MCP SSE weather endpoint and how to summarize results. There are no extra credentials, binaries, or unrelated requirements that don't belong to a weather-query helper.
Instruction Scope: noteInstructions are narrowly focused: construct JSON requests, call the stated SSE URL, stream and parse events, and summarize results. The doc explicitly warns the cloud agent may not be able to reach a local/private MCP and instructs the agent to provide curl/code examples for the user to run locally. Minor note: the endpoint is a hard-coded dev host (https://api-dev.ljyd.cn/...), so callers should verify they intend to use that specific third-party URL.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk or installed, which is proportionate for this task.
Credentials: okNo environment variables, credentials, or config paths are requested. The SKILL.md mentions an optional Authorization header but does not require any tokens; this is reasonable and proportional for a simple API client doc.
Persistence & Privilege: okSkill is not forced-always, does not request persistent privileges, and does not instruct modifying other skills or global agent configuration.