Back to skill
Skillv1.0.0
ClawScan security
weather-query-ych · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 8:39 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is broadly what it claims (weather queries) but contains a hard-coded API key and mismatches between declared requirements and the code, which is disproportionate and suspicious.
- Guidance
- This skill appears to do weather lookups, but the author put an API key directly in the code and did not declare any required credentials — that's a red flag. Before installing: (1) ask the publisher to explain the API key origin and revoke it if it's private; (2) prefer a version that accepts an API key via an environment variable or configuration you control; (3) verify the external endpoint (the code uses api.weather.com-style URLs) and ensure it's trustworthy; (4) if you must use it, monitor network activity and consider running it in an isolated environment. If you cannot verify the key/provider, treat the skill as untrusted.
Review Dimensions
- Purpose & Capability
- concernName/description match a simple weather lookup and the code indeed calls an external weather API, but the skill declares no credentials or provider while the code contains an embedded API key and a non-standard URL format. A weather skill would normally request the user's own API key or document the provider — the hard-coded key is unexpected.
- Instruction Scope
- concernSKILL.md instructs the agent to parse city/date and call a weather API, which is in-scope. However the runtime code hard-codes an API key and a specific request URL pattern not described in SKILL.md, reducing transparency and giving the skill unilateral network access to an external service without documenting it.
- Install Mechanism
- okNo install spec (instruction-only) and no package installation; the only code is a small Python file that uses requests. No additional installers or remote downloads were found.
- Credentials
- concernThe skill declares no required environment variables or credentials but embeds a literal API key in agent.py. Embedding credentials in code is disproportionate, risks leaking the key, and prevents users from supplying their own credentials as expected.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent or system-wide configuration changes. It will perform outbound network requests when invoked, which is expected for a weather lookup.