Back to skill
Skillv1.0.0
ClawScan security
weather-skill-0311 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 4:55 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements match its stated purpose (querying wttr.in for weather, with an offline demo); there are no unexpected credentials, installs, or hidden endpoints.
- Guidance
- This skill appears coherent and safe for its stated purpose. Things to consider before installing: (1) The script issues HTTP GETs to wttr.in — these queries include the city name in plaintext. If you consider city queries sensitive, use the --offline demo or avoid sending them. (2) The code uses http://wttr.in (not https) — you may want to change the URL to https://wttr.in for encrypted transport. (3) The skill has a dummy homepage (example.com); if you rely on third-party support, verify the source. (4) No credentials are requested and there is no install step, but the agent will perform outbound network requests when invoked; ensure your environment allows or restricts that as appropriate.
Review Dimensions
- Purpose & Capability
- okName/description (查询全球任意城市天气) align with the code and SKILL.md. The script queries wttr.in and supports an offline demo; no unrelated binaries, env vars, or config paths are requested.
- Instruction Scope
- okSKILL.md instructs calling the included Python script or using offline mode. The runtime instructions and the script only perform HTTP requests to wttr.in and parse the JSON; they do not read other files, environment variables, or transmit data to unexpected endpoints.
- Install Mechanism
- okNo install spec is present (instruction-only), and the included code is small and local. Nothing is downloaded or extracted from third-party URLs during install.
- Credentials
- okThe skill requests no environment variables or credentials. The behavior (HTTP request to wttr.in) does not require secrets; tests and code do not access hidden env vars.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system config. It does not request persistent privileges.