ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amap Weather (高德天气)

v1.0.0

Query weather via Amap (高德) Weather API — China's most accurate location-based weather service. Use when user asks about weather in Chinese cities, mentions...

0· 80·1 current·1 all-time
byWen@wyatt88
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, SKILL.md, and the bundled Python script all align: it queries Amap weather and needs an AMAP_API_KEY. However, the registry metadata lists no required environment variables or primary credential, which contradicts the SKILL.md and the script that reads AMAP_API_KEY. This is likely a metadata omission but is an incoherence that should be fixed.
Instruction Scope
SKILL.md and the script instruct only to call Amap's weather endpoint (restapi.amap.com) and to present formatted results. The instructions do not ask the agent to read unrelated files, other environment variables, or to transmit data to unexpected endpoints. The script only performs network calls to the documented API and formats output.
Install Mechanism
No install spec is provided (instruction-only with a bundled script). There are no downloads or archives, no brew/npm installs, and no writing of arbitrary code to disk beyond the included script. This is low-risk from an install mechanism perspective.
!
Credentials
The functional requirement for a single AMAP_API_KEY is reasonable and proportionate for this weather client. The concern is the mismatch between the script/SKILL.md (which require AMAP_API_KEY) and the registry metadata (which declares no required env vars). That mismatch could lead to confusion or misconfiguration; ensure the skill actually requests only that key and no other credentials at runtime.
Persistence & Privilege
The skill does not request elevated or persistent privileges. always is false and autonomous invocation is allowed (platform default). The skill does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a simple Amap weather client and its code only calls the official Amap weather endpoint. However: (1) SKILL.md and the bundled script require an AMAP_API_KEY, but the registry metadata does not list any required env vars—confirm this discrepancy with the publisher before installing. (2) Because the source/homepage are unknown, review the included scripts yourself (they are small and readable) to verify there are no hidden endpoints or extra network calls. (3) If you provide an API key, consider creating a restricted key (limit it to the Amap Web Services/weather API and set IP or referrer restrictions if possible). (4) If you need higher assurance, ask the publisher to update registry metadata to declare AMAP_API_KEY and provide a verifiable homepage or source repository. If you cannot verify these points, treat the metadata inconsistency as a risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ax5jmw5w17jtb8en5g88fh83gws7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments