Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
weather character skill
v1.0.0Weather Character Skill - Generate daily weather-themed character images based on mood, weather, and city. Features interactive dialog, 27 Chinese cities, an...
⭐ 0· 38·0 current·0 all-time
by一宏@waffle105
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (generate weather-themed character images) align with the SKILL.md features (mood, city, scheduled run). However, the SKILL.md implies use of real-time weather data and image generation but does not declare how weather is fetched (no API or service mentioned) nor any required credentials for weather services.
Instruction Scope
The SKILL.md tells the user/agent to run 'python weather_character.py' and 'python scheduler.py', replace 'cankaotu.png', and consult README.md — but the skill bundle contains only SKILL.md (no code files, no README, no image). Instructing execution of absent scripts is a strong inconsistency: an agent following these instructions would need to fetch or run arbitrary code outside this skill. The instructions also tell you to install packages (requests, schedule) but give no further detail about network endpoints, where code comes from, or what the scripts do.
Install Mechanism
There is no install specification in the registry (instruction-only), which is low-risk. The Quick Start recommends 'pip install requests schedule' — a reasonable, low-impact dependency instruction — but because the actual Python files are missing, the install guidance is incomplete and could lead users to run code obtained from elsewhere.
Credentials
The skill declares no required environment variables or credentials, yet its functionality (real-time weather per city) typically requires network access and often an API key. The absence of declared env vars or a primary credential is an unexplained gap. If the (missing) scripts contact third-party APIs, they may require keys or transmit data — the skill does not document or request these.
Persistence & Privilege
The skill metadata does not request persistent/autonomous privileges (always:false) which is appropriate. However, the SKILL.md instructs creating a scheduled daily task (run scheduler.py at 7:30 AM). Setting up recurring execution on the user's system is a form of persistence and should be treated cautiously, especially because the scripts to be scheduled are not included in the package.
What to consider before installing
Do not install or run code based only on this SKILL.md. The file instructs you to run 'weather_character.py' and 'scheduler.py' and to replace an image, but those files are not present in the skill bundle. Ask the publisher for the source code or a trusted repository link and verify what the scripts do (network calls, credentials required, data they read/write) before executing anything. If you choose to proceed: (1) review the Python scripts locally (don't run them blind), (2) check for any weather API endpoints and required API keys, (3) confirm scheduled tasks run exactly the intended code, and (4) avoid supplying unrelated credentials or allowing downloads from untrusted URLs. If the author cannot provide the missing files or a verifiable repo, treat this skill as incomplete and avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9735z51fng6qj53sjek3f9r2h83x6sd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.