Frost Sentinel Lite
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe their location never leaves their machine, when forecast requests can reveal approximate location coordinates to a third-party provider.
The guide makes a strong privacy claim, but also says location-derived coordinates are used with Open-Meteo, an external weather API.
This agent operates entirely locally. Your data is never sent to a third-party server... Reply with your Operating ZIP/Postcode. The agent will automatically convert this to GPS coordinates for the Open-Meteo API and save it locally.
Revise the documentation and prompts to clearly disclose that Open-Meteo receives coordinates, and ask for user consent before storing or using location data.
Your ZIP/postcode or derived coordinates may remain on disk and be reused by the skill across sessions.
The skill persists location information for future automated runs.
check local `settings.json` for the user's Operating ZIP/Postcode. Convert to GPS coordinates... Save response to `settings.json`.
Document the exact settings file location, provide a clear way to edit or delete it, and avoid entering a more precise location than needed.
If enabled, the skill can automatically check forecasts, store location settings, and send alerts without a manual prompt each day.
The skill can run on a schedule and use network, notification, and local file tools; these are expected for daily weather alerts but still grant automated action capability.
cron: "0 16 * * *"... permissions: web_fetch, notify, local_read, local_write
Install only if you want scheduled alerts, and keep network access limited to the documented Open-Meteo and localhost notification destinations.
You have less independent context for the publisher or project history.
The artifact has limited public provenance, although no executable code or install script is provided.
Source: unknown; Homepage: none
Prefer a verified source or maintainer information when available, and review future updates before granting permissions.