Weather Fetch

PassAudited by ClawScan on May 2, 2026.

Overview

This appears to be a straightforward weather-scraping skill, with minor review notes about browser automation setup and narrower city support than advertised.

Before installing, understand that this runs a Playwright/Chromium scraper that contacts m.weathercn.com with the requested city name. It does not show credential use or persistence, but you may need to install Playwright yourself, and the current code only supports a small city list despite broader documentation claims.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI09: Human-Agent Trust Exploitation

What this means

Weather lookups for most Chinese cities may fail even though the skill description suggests broad coverage.

Why it was flagged

The code only has two city entries, while the SKILL.md and README claim support for nationwide city weather queries. This is a capability mismatch rather than evidence of malicious behavior.

Skill content

CITIES = {
    '苍南': {'id': '2333656', 'path': 'cangnan-county'},
    '梧州': {'id': '58361', 'path': 'wuzhou-city'}
}

Recommendation

Treat the advertised city coverage as limited unless the maintainer expands the city database or documents the current limitation.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may not run until Playwright and its browser components are installed, and users must ensure they install them from trusted sources.

Why it was flagged

The skill imports Playwright, but the provided install metadata says there is no install spec. This leaves dependency installation and browser setup outside the reviewed artifacts.

Skill content

from playwright.sync_api import sync_playwright

Recommendation

Install Playwright only from official package sources and prefer a future version that declares its dependencies explicitly.

Low

#ASI05: Unexpected Code Execution

What this means

Normal use contacts m.weathercn.com and runs that page in a headless browser with reduced sandbox protection.

Why it was flagged

The script launches a headless Chromium browser and loads an external weather page. This is disclosed and purpose-aligned, but '--no-sandbox' reduces isolation if the remote page or browser were exploited.

Skill content

browser = p.chromium.launch(headless=True, args=['--no-sandbox'])
...
page.goto(url, timeout=30000)

Recommendation

Run the skill in a contained environment if possible, and consider removing '--no-sandbox' unless it is required by the runtime.