ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeatherPanel Note AI PC

WeatherPanel Note AI PC for Shanghai weather. This skill fetches current weather from Open-Meteo, summarizes the overall conditions with a local LLM through...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 71 · 0 current installs · 0 all-time installs
by@yinquan251
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code: fetch_weather.py calls Open‑Meteo, summarize_weather.py calls a local 'summarize' CLI, dashboard.html is copied to a local Canvas path, and flush_to_obsidian.py appends to an Obsidian note. No unrelated cloud credentials, unrelated binaries, or extraneous capabilities are requested.
Instruction Scope
Runtime instructions are limited to running the bundled Python pipeline and writing only into the user's Canvas and state directories and an Obsidian note. One notable implementation detail: summarize_weather.py launches the summarize CLI with shell=True (it builds a quoted command string) which increases risk if SUMMARIZE_BIN is malicious or contains shell metacharacters; SUMMARIZE_BIN can be overridden via environment or the allowlisted config file. The skill otherwise respects the stated limits (does not read generic secret files and uses an allowlist for config keys).
Install Mechanism
No install spec or remote downloads are present; the skill is instruction + local Python scripts only. Nothing is fetched or executed from arbitrary URLs by the skill itself.
Credentials
The skill declares no required environment variables and the env_loader only populates a small allowlisted set from a user-side config JSON. Allowed keys are non-secret (paths, binary names, coordinates, base URL). The code uses standard HOME/USERPROFILE and optional HTTP_PROXY/HTTPS_PROXY—expected for a network client.
Persistence & Privilege
The skill does not request 'always: true' or any elevated/automatic persistence. It writes state and canvas files under ~/.openclaw/state and the user's Canvas/Obsidian locations (expected for its function) and does not modify global OpenClaw config or system startup settings.
Assessment
This skill appears to do what it says: fetch Open‑Meteo data, summarize via a local summarize CLI, update a local dashboard, and append to an Obsidian note. Before installing or running it, consider: 1) The skill will write files under ~/.openclaw/state and your Canvas directory and will append to the configured Obsidian note — verify OBISIDIAN_VAULT/NOTE_PATH to avoid unwanted writes. 2) The summarization step invokes an external binary named by SUMMARIZE_BIN (default 'summarize') using shell=True; ensure that the summarize binary on your PATH (or any override you set in the allowlisted config) is the trusted implementation you expect. 3) The Obsidian flush step calls an external obsidian-cli; ensure that binary is trusted. 4) If you are concerned about injection via SUMMARIZE_BIN overrides, run the pipeline with a controlled SUMMARIZE_BIN pointing to a known executable, or inspect/lock the config file at ~/.openclaw/state/weatherpanel_note_aipc/config.json. 5) If you want extra safety, run the scripts in a restricted environment or inspect the bundled files (they are included) before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk976k14jkvat2ewn7svsk6zaf58386vq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌤️ Clawdis

SKILL.md

WeatherPanel Note AI PC

What this skill does

  • Fetches current and hourly Shanghai weather from Open-Meteo.
  • Generates a local summary with the installed summarize CLI.
  • Updates the Canvas dashboard data for weatherpanel-note-aipc.
  • Appends summary records to a Markdown note inside the configured Obsidian vault.

Safety and ClawHub alignment

  • Do not modify HEARTBEAT.md.
  • Do not change global OpenClaw config.
  • Do not create or run .bat, .cmd, or .ps1 files.
  • Do not use Windows Task Scheduler, startup folders, registry persistence, or shell profile persistence.
  • Do not read generic secret-bearing files such as env.bat.
  • Only run the Python scripts bundled with this skill.
  • The weather source is fixed to Shanghai coordinates in bundled code.
  • The summary step uses a shell-free subprocess call to the fixed command name summarize found on PATH.
  • The Obsidian step does not invoke obsidian-cli; it writes only to a validated .md path under a configured vault directory inside the user's home directory.

Default action

For a normal invocation, run the bundled pipeline:

python run_weatherpanel.py --mode all

Then tell the user the dashboard is available at the local Canvas path for this skill:

/__openclaw__/canvas/weatherpanel-note-aipc/dashboard.html

Other requests

  • Refresh weather now:

    python run_weatherpanel.py --mode all

  • Fetch only:

    python run_weatherpanel.py --mode fetch

  • Summarize only:

    python run_weatherpanel.py --mode summarize

  • Flush queued summaries to the Obsidian-compatible Markdown note only:

    python run_weatherpanel.py --mode flush

  • Prepare or refresh just the dashboard asset:

    python run_weatherpanel.py --mode prepare-dashboard

  • Check token cost: read the file token_cost.json from the Canvas directory for weatherpanel-note-aipc.

Optional configuration

This skill does not require secrets. If needed, it may read a dedicated allowlisted JSON config file at:

~/.openclaw/state/weatherpanel_note_aipc/config.json

Supported keys are limited to:

  • CANVAS_ROOT
  • OBSIDIAN_VAULT
  • OBSIDIAN_NOTE_PATH
  • OPENCLAW_BASE_URL

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…