ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

weather-query-ych

v1.0.0

查询指定城市和日期的天气预报,提供天气状况及温度范围,支持中文城市名和日期解析。

0· 370·1 current·1 all-time
by@yuancaihua
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description match a simple weather lookup and the code indeed calls an external weather API, but the skill declares no credentials or provider while the code contains an embedded API key and a non-standard URL format. A weather skill would normally request the user's own API key or document the provider — the hard-coded key is unexpected.
!
Instruction Scope
SKILL.md instructs the agent to parse city/date and call a weather API, which is in-scope. However the runtime code hard-codes an API key and a specific request URL pattern not described in SKILL.md, reducing transparency and giving the skill unilateral network access to an external service without documenting it.
Install Mechanism
No install spec (instruction-only) and no package installation; the only code is a small Python file that uses requests. No additional installers or remote downloads were found.
!
Credentials
The skill declares no required environment variables or credentials but embeds a literal API key in agent.py. Embedding credentials in code is disproportionate, risks leaking the key, and prevents users from supplying their own credentials as expected.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or system-wide configuration changes. It will perform outbound network requests when invoked, which is expected for a weather lookup.
What to consider before installing
This skill appears to do weather lookups, but the author put an API key directly in the code and did not declare any required credentials — that's a red flag. Before installing: (1) ask the publisher to explain the API key origin and revoke it if it's private; (2) prefer a version that accepts an API key via an environment variable or configuration you control; (3) verify the external endpoint (the code uses api.weather.com-style URLs) and ensure it's trustworthy; (4) if you must use it, monitor network activity and consider running it in an isolated environment. If you cannot verify the key/provider, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk970xy0dsggqyykb1jr5hena3s828nnc
370downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@yuancaihua
latest
Download

技能名称:天气查询

触发场景

当用户询问天气时,调用本技能。

输入示例

  • "今天北京天气如何?"
  • "明天上海会下雨吗?"

执行逻辑

  1. 解析用户问题中的城市和日期。
  2. 调用天气API获取数据。
  3. 返回格式化结果(如:"院彩华测试:北京今天晴,20-25℃")。

输出格式

  • 文本:院彩华测试: {城市} {日期} {天气状况}, {温度范围}

异常处理

  • 若城市未识别,回复:"请提供有效城市名"。
  • 若API调用失败,回复:"天气服务暂时不可用"。

Comments

Loading comments...