China Weather

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward China weather lookup skill, with expected notes around third-party weather APIs, optional API keys, and a user-run Python dependency install.

This skill looks proportionate for checking Chinese weather. Before installing or using it, be aware that it may call third-party weather services, optional API keys should be protected, and the documented `pip install requests` step should be run only in a trusted Python environment.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The user may install whatever current `requests` package their pip configuration resolves, which is a small supply-chain and reproducibility risk.

Why it was flagged

The skill asks the user to install the Python `requests` package without pinning a version. This is a normal dependency for an HTTP weather client, but it leaves package version and source trust to the user's Python environment.

Skill content

## Step 1: Install Dependencies

```bash
pip install requests
```

Recommendation

Install in a virtual environment from a trusted package index, and consider pinning a known-good version if packaging this skill for repeat use.

#ASI03: Identity and Privilege Abuse

Low

What this means

If the user configures provider keys, the skill can consume that weather-service account's quota and send requests under that account.

Why it was flagged

The skill documents optional credentials for weather providers. These credentials are expected for the stated weather-query purpose, but they are not declared as required environment variables in the registry metadata.

Skill content

export QWEATHER_API_HOST="你的API_HOST"  # 如：abc1234xyz.def.qweatherapi.com
export QWEATHER_API_KEY="你的API_KEY"

Recommendation

Prefer the no-key provider when sufficient, or use limited/revocable API keys and avoid pasting keys into shared chats or logs.

#ASI07: Insecure Inter-Agent Communication

Info

What this means

City names, query timing, and any configured provider credentials may be visible to the selected weather API provider.

Why it was flagged

The skill discloses that weather lookups may be sent to multiple third-party weather providers. This is necessary for the feature, but it is still a user-data flow to outside services.

Skill content

API_CHAIN = [
    {"name": "qweather", "priority": 1, "fallback": True},
    {"name": "seniverse", "priority": 2, "fallback": True},
    {"name": "openweathermap", "priority": 3, "fallback": True},
    {"name": "wttr", "priority": 4, "fallback": False}
]

Recommendation

Use providers you trust, and avoid querying sensitive locations if you do not want those requests sent to third-party weather services.