ClawHub
Back to skill
v1.0.3

China Weather

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:14 AM.

Analysis

This appears to be a straightforward China weather lookup skill, with expected notes around third-party weather APIs, optional API keys, and a user-run Python dependency install.

GuidanceThis skill looks proportionate for checking Chinese weather. Before installing or using it, be aware that it may call third-party weather services, optional API keys should be protected, and the documented `pip install requests` step should be run only in a trusted Python environment.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
## Step 1: Install Dependencies

```bash
pip install requests
```

The skill asks the user to install the Python `requests` package without pinning a version. This is a normal dependency for an HTTP weather client, but it leaves package version and source trust to the user's Python environment.

User impactThe user may install whatever current `requests` package their pip configuration resolves, which is a small supply-chain and reproducibility risk.
RecommendationInstall in a virtual environment from a trusted package index, and consider pinning a known-good version if packaging this skill for repeat use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export QWEATHER_API_HOST="你的API_HOST"  # 如:abc1234xyz.def.qweatherapi.com
export QWEATHER_API_KEY="你的API_KEY"

The skill documents optional credentials for weather providers. These credentials are expected for the stated weather-query purpose, but they are not declared as required environment variables in the registry metadata.

User impactIf the user configures provider keys, the skill can consume that weather-service account's quota and send requests under that account.
RecommendationPrefer the no-key provider when sufficient, or use limited/revocable API keys and avoid pasting keys into shared chats or logs.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityInfoConfidenceHighStatusNote
SKILL.md
API_CHAIN = [
    {"name": "qweather", "priority": 1, "fallback": True},
    {"name": "seniverse", "priority": 2, "fallback": True},
    {"name": "openweathermap", "priority": 3, "fallback": True},
    {"name": "wttr", "priority": 4, "fallback": False}
]

The skill discloses that weather lookups may be sent to multiple third-party weather providers. This is necessary for the feature, but it is still a user-data flow to outside services.

User impactCity names, query timing, and any configured provider credentials may be visible to the selected weather API provider.
RecommendationUse providers you trust, and avoid querying sensitive locations if you do not want those requests sent to third-party weather services.