Skillv1.0.0

ClawScan security

光伏设计NASA日均气象数据获取 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 8:08 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill does what it claims (fetch NASA POWER data, optionally geocode names with Nominatim, and write Excel files); its network calls and files are consistent with that purpose, though there are minor implementation issues to be aware of.
Guidance: This skill appears coherent with its stated purpose: it geocodes names (OpenStreetMap Nominatim) and fetches NASA POWER data, then writes Excel files. Before installing/using: 1) ensure Python and openpyxl are installed (the script will exit if openpyxl is missing); 2) be aware the skill makes outbound requests to power.larc.nasa.gov and nominatim.openstreetmap.org (not to unknown endpoints); 3) review or run the included scripts in a sandbox first — there is a minor bug in the shown fetch_metdata.py tail (the output path construction in the truncated portion may reference an undefined variable 'out', causing a runtime error), so test a small query first; 4) respect Nominatim usage/rate limits and don't batch-geocode many names without checking their policy. If you want higher confidence, ask the maintainer for the full, non-truncated fetch_metdata.py (to confirm the final output-path handling and there are no hidden network calls).

Purpose & Capability: okName/description (NASA POWER meteorological data for wind/solar) match the included scripts and instructions. The code queries power.larc.nasa.gov and (for name->coords) nominatim.openstreetmap.org, which are the expected endpoints for the described functionality.
Instruction Scope: noteSKILL.md instructions are specific: geocode with Nominatim if needed, then run the included Python script to fetch data and write Excel. The instructions and scripts access only the NASA POWER API and OSM Nominatim, and they write an output Excel into the user's workspace. Note: the skill makes outbound network calls (expected for this purpose) and obeys a small request delay; it supplies a User-Agent for Nominatim (good practice).
Install Mechanism: okNo install spec — instruction-only with included Python scripts. This is low-risk: nothing is downloaded at install time. The script requires openpyxl at runtime (it checks and errors if missing).
Credentials: okNo environment variables or credentials are requested. The script only needs network access and optional Python dependency (openpyxl). No unrelated secrets or config paths are requested.
Persistence & Privilege: okSkill is not always-enabled and does not request persistent/system-wide privileges. It writes output into a per-user workspace directory (~/.openclaw/workspace/output/metdata) which is reasonable for its purpose.