Euskalmet
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes local Python code that can contact the Euskalmet API and read/write files in the skill directory.
The skill tells the user to execute local Python scripts. That is expected for fetching and formatting forecast data, but it means the user is trusting code shipped with the skill.
./venv/bin/python3 scripts/main.py && ./venv/bin/python3 scripts/format_forecast.py
Run it only if you trust the skill source, and keep execution scoped to the documented skill directory and virtual environment.
Installing dependencies can run or import third-party package code inside the virtual environment.
The setup uses a Python virtual environment and installs dependencies from requirements.txt. This is a normal Python setup path, but it introduces dependency trust considerations.
python3.12 -m venv venv ./venv/bin/pip install -r requirements.txt
Inspect requirements.txt when possible and use the isolated virtual environment as documented.
The skill scripts can use the configured Euskalmet API credential, and the credential may be stored locally in a .env file.
The skill requires provider credentials for the Euskalmet API. This is purpose-aligned and disclosed in SKILL.md, though the registry metadata lists no required environment variables.
EUSKALMET_API_EMAIL=your_email@example.com EUSKALMET_API_PRIVATE_KEY=your_private_key
Use a dedicated/revocable API credential if available, keep the .env file private, and rotate the key if it is exposed.