ClawHub

QWeather China

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent QWeather weather tool, but it ships with under-scoped credential handling and developer-side file rewriting artifacts that users should review before installing.

Install only if you are comfortable providing a dedicated QWeather JWT private key and sending requested/default city information to QWeather. Before use, remove or ignore openclaw_config.yaml entries that reference .openclaw private keys, do not run fix_encoding.py as part of normal installation, and avoid exposing auth error output in shared or multi-user environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The documentation states that the skill may fall back to Open-Meteo, but the declared network permissions only allow '*.qweatherapi.com'. This mismatch is dangerous because it can lead to undocumented outbound requests to an unapproved third-party service, undermining user expectations, permission enforcement, and data-governance controls.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file performs source-code rewriting across multiple project files and generates a new script on disk, which is outside the stated purpose of a weather-information skill. Even if intended as maintenance tooling, bundling self-modifying or repository-modifying behavior into a skill increases supply-chain and integrity risk because it can silently alter trusted code paths.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The function rewrites Python source files by regex-replacing calls across the codebase, a capability unrelated to serving weather data. Unnecessary code-modification features expand the attack surface and can be abused to tamper with behavior, especially if executed in an environment where the repository or installed skill files are writable.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The file creates a new executable-style Python script on disk, which is not justified by the skill's weather-service purpose. File creation capabilities can be leveraged to persist code, introduce unreviewed execution paths, or mislead operators into running generated scripts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The configuration hard-codes a user-specific filesystem path to an Ed25519 private key used for JWT signing. Even though the key contents are not present, exposing a local secret location and coupling the skill to a specific user's private credential is unsafe operationally and may encourage insecure secret handling, accidental leakage, or misuse of privileged API authentication material.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
On authentication failures, the skill returns the current values of multiple environment variables directly to the caller. This leaks internal configuration such as API host, project identifiers, and private key path, which can aid reconnaissance and expose sensitive deployment details to any user who triggers an auth error.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README documents activation examples using very broad, everyday phrases such as asking about rain, wind, or temperature, without describing clear invocation boundaries or requiring explicit skill selection. In an agent environment, this can cause the skill to trigger unexpectedly during normal conversation, leading to unintended API calls, location use, or response hijacking from other skills.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The release notes state that the skill will automatically read the user's remembered city from MEMORY.md and fall back to a default city, but they do not mention user notice, consent, or how memory is accessed. This creates a privacy risk because users may not realize prior stored location data is being reused, and location is sensitive contextual information in many agent settings.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The handler may send a network weather query using a remembered or default location when the user did not explicitly provide one in the current request. Although the response later includes a location note, the external request is already made first, which can disclose inferred user location to the weather provider without explicit, per-request user consent or clear pre-request notice.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script overwrites Python files in place without confirmation, backup, or review. Silent destructive modification of source files risks integrity loss, accidental breakage, and abuse in environments where users may run the tool expecting only a harmless encoding fix.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The script writes a new test file to disk without prior notice or approval. While lower impact than overwriting existing files, unprompted file creation is still an unnecessary side effect for a weather skill and can create persistence or clutter in trusted directories.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest declares monitoring and usage statistics such as request counts, response times, popular city, and last request time, but provides no user-facing notice, consent, retention, or control information. For a consumer-facing weather skill, this creates a privacy risk because location-related usage patterns and behavioral metadata may be collected without transparency.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code exposes environment-derived configuration values in a plain-language authentication error shown to the end user. Even when the values are not direct secrets, they reveal deployment internals and can help an attacker map the service configuration or target follow-on attacks.

Ssd 3

Medium
Confidence
99% confidence
Finding
The authentication error path discloses environment variable values and configuration state directly in the response body. In a skill context exposed to end users, this unnecessarily turns operational misconfiguration into an information disclosure primitive that attackers can intentionally trigger.

Session Persistence

Medium
Category
Rogue Agent
Content
2. **私钥文件准备**
   ```bash
   # 创建配置目录
   mkdir -p ~/.config/qweather
   
   # 将和风天气私钥复制到独立位置
   cp /path/to/your/qweather-private.pem ~/.config/qweather/private.pem
Confidence
88% confidence
Finding
mkdir -p ~/.config/qweather # 将和风天气私钥复制到独立位置 cp /path/to/your/qweather-private.pem ~/.config/qweather/private.pem chmod 600 ~/.config/qweather/private.pem ``` 3. **Python依赖**(安装时自动处理)

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal