Back to skill
Skillv1.0.0
ClawScan security
Bmkg Weather · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 8:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and files are consistent with its stated purpose (fetching BMKG weather and earthquake data); it requires no credentials, installs nothing, and only calls BMKG endpoints.
- Guidance
- This skill appears to do exactly what it claims: query BMKG public APIs and help map place names to adm4 codes. Before installing, note: (1) it will make network requests to api.bmkg.go.id/data.bmkg.go.id when used (the helper script also tests codes against the API), (2) there are no credentials required or requested, and (3) the included wilayah.sql is a large public reference dump (MIT-licensed). If you are comfortable with the agent making outbound requests to BMKG and with storing a local copy of public region data, this skill is coherent and proportionate to its purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the included assets: SKILL.md documents BMKG endpoints and usage, a small helper script (cari_wilayah.py) looks up adm4 codes, and reference files contain region codes. Nothing requested (no env vars, no binaries) is unrelated to providing BMKG weather/earthquake data.
- Instruction Scope
- okRuntime instructions only direct the agent to query BMKG endpoints (api.bmkg.go.id and data.bmkg.go.id) and to use the provided lookup script or reference files for admin codes. There are no instructions to read local user files, access unrelated environment variables, or transmit data to third-party endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only with a bundled script and reference data). The included Python script is self-contained and uses the standard library (urllib, json). No external downloads, package installs, or archive extraction are present.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. All network calls are to BMKG domains as expected. The large SQL reference file contains public administrative codes and is consistent with the lookup functionality.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request elevated or persistent privileges. It does perform outbound HTTPS calls (normal for this use case). Autonomous invocation is allowed by default but is not combined with other concerning flags.