기상청 날씨 (KMA Weather Korea)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a normal Korean weather API helper, but one script reads an API key from a hard-coded local user path instead of the documented credential location.
Before installing, review or edit scripts/morning_briefing.sh so it uses your own documented API-key path, make sure curl/jq/python3 are available, and only enable AirKorea or notification/cron integrations if you understand where your location and briefing data will be sent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A weather request could use the wrong local credential file or expose a specific user's data.go.kr API key to the configured public-data API requests.
The script reads a credential from a hard-coded /home/scott path rather than the documented current-user path ~/.config/data-go-kr/api_key. This can fail for most users or unexpectedly use a specific local user's API key if that file exists.
API_KEY = open("/home/scott/.config/data-go-kr/api_key").read().strip()Change the script to read the documented current user's credential path, declare the required credential/config path in metadata, and avoid hard-coded home-directory paths.
The skill may not work unless the user has the expected tools and API key file, and the registry does not fully communicate those requirements.
The script depends on a local API-key file and command-line tools such as curl and jq, while the registry metadata lists no required binaries, env vars, or primary credential. This appears purpose-aligned but under-declared.
API_KEY=$(cat ~/.config/data-go-kr/api_key 2>/dev/null || echo "") ... RESPONSE=$(curl -s -G "$URL" ...); echo "$RESPONSE" | jq '.'
Declare curl, jq, python3, and the data.go.kr API key/config path in the skill metadata or setup instructions.
Weather responses may involve another air-quality skill or a notification connector, potentially sharing location or station information with those integrations.
The skill documents cross-skill integration for air quality and notifications. This is consistent with the weather-briefing purpose, but the referenced skills/connectors are outside the provided artifacts.
connectors: [~~weather, ~~air, ~~notify] ... `skills/airkorea-air-quality/scripts/air_quality.sh [station]`
Review and install the referenced air-quality and notification skills separately, and only enable notifications for destinations you control.
If configured, the skill could send recurring weather notifications on a schedule.
The playbook describes a recurring morning briefing via a notification channel. The artifacts do not show automatic persistence setup, so this is a disclosed optional workflow rather than hidden background behavior.
- 시간: 매일 07:30 - 채널: ~~notify (Notification) - 크론 스크립트: morning_briefing.sh
Only create a cron job or notification integration after explicit user approval, and document how to disable it.