WeatherPanel Note AI PC

The skill bundle contains a shell injection vulnerability in `scripts/summarize_weather.py`, where `subprocess.run` is invoked with `shell=True` on a command string constructed from parameters (latitude, longitude, etc.) that can be influenced via a local JSON configuration file. While the developer included a comment suggesting this was intended to handle special characters in URLs on Windows, it creates a risk of arbitrary command execution. The rest of the bundle, including weather data retrieval from Open-Meteo and Obsidian integration via `scripts/flush_to_obsidian.py`, appears to follow the stated purpose without evidence of intentional malice or data exfiltration.