Back to skill
Skillv2.0.0
ClawScan security
彩云天气每日推送 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 3:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (fetching 彩云 weather and pushing a daily notification); it only needs the Caiyun token and location and does not contact unexpected endpoints or request unrelated credentials.
- Guidance
- This package appears to do what it says: call 彩云天气 API and format/push a daily weather message. Before installing: (1) Confirm the CAIYUN_TOKEN is a dedicated API token kept in a secure environment variable (do not paste into chat). (2) Because the source/homepage is unknown, prefer running the scripts locally in a controlled account or container and use the --dry-run to inspect output first. (3) If you don't want an external CLI used, remove or ignore the OpenClaw send step; the code prints the message as fallback. (4) Verify registry metadata vs SKILL.md (the registry omitted required env vars) — ask the publisher for a canonical source or repo if you need stronger provenance.
Review Dimensions
- Purpose & Capability
- noteName/description, SKILL.md, and included scripts consistently implement a Caiyun-weather->message-push workflow. Minor metadata mismatch: the registry metadata lists no required env vars while SKILL.md and the scripts require CAIYUN_TOKEN, LNG, LAT (and optionally LOCATION_NAME/PUSH_CHANNEL). This is a transparency/metadata issue but not a functional mismatch.
- Instruction Scope
- okRuntime instructions and scripts only fetch data from api.caiyunapp.com, parse it locally, and attempt to send via an OpenClaw CLI if available. They do not read unrelated system files, scan for other credentials, or exfiltrate to third-party endpoints.
- Install Mechanism
- okNo install spec (instruction-only with shipped scripts). Nothing is downloaded from arbitrary URLs or installed automatically; risk from install mechanism is low.
- Credentials
- noteEnvironment variables used (CAIYUN_TOKEN, LNG, LAT, optional LOCATION_NAME, PUSH_CHANNEL) are proportional to the task. Note the registry metadata omission of required env vars — confirm you provide only the Caiyun token and coordinates. No other secrets or unrelated service credentials are requested.
- Persistence & Privilege
- okalways:false and user-invocable; the skill does not request persistent system privileges or modify other skills/configs. It only invokes OpenClaw CLI when present and otherwise prints the message.