Weather Fetch
PassAudited by VirusTotal on May 2, 2026.
Overview
Type: OpenClaw Skill Name: weather-fetch Version: 1.0.0 The skill is a web scraping tool designed to fetch weather data from m.weathercn.com using the Playwright library. The script `scripts/weather_fetch.py` navigates to a specific mobile weather URL and extracts information like temperature and AQI using regex. While the documentation claims support for nationwide cities, the current implementation only includes hardcoded identifiers for two specific cities. There are no signs of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Weather lookups for most Chinese cities may fail even though the skill description suggests broad coverage.
The code only has two city entries, while the SKILL.md and README claim support for nationwide city weather queries. This is a capability mismatch rather than evidence of malicious behavior.
CITIES = {
'苍南': {'id': '2333656', 'path': 'cangnan-county'},
'梧州': {'id': '58361', 'path': 'wuzhou-city'}
}Treat the advertised city coverage as limited unless the maintainer expands the city database or documents the current limitation.
The skill may not run until Playwright and its browser components are installed, and users must ensure they install them from trusted sources.
The skill imports Playwright, but the provided install metadata says there is no install spec. This leaves dependency installation and browser setup outside the reviewed artifacts.
from playwright.sync_api import sync_playwright
Install Playwright only from official package sources and prefer a future version that declares its dependencies explicitly.
Normal use contacts m.weathercn.com and runs that page in a headless browser with reduced sandbox protection.
The script launches a headless Chromium browser and loads an external weather page. This is disclosed and purpose-aligned, but '--no-sandbox' reduces isolation if the remote page or browser were exploited.
browser = p.chromium.launch(headless=True, args=['--no-sandbox']) ... page.goto(url, timeout=30000)
Run the skill in a contained environment if possible, and consider removing '--no-sandbox' unless it is required by the runtime.