ClawHub

Euskalmet

AdvisoryAudited by VirusTotal on Apr 7, 2026.

Overview

Type: OpenClaw Skill Name: euskalmet Version: 1.0.0 The skill is a legitimate weather forecast tool for the Basque Country that interacts with the official Euskalmet API. The code in scripts/main.py correctly implements JWT authentication using RS256 with a user-provided private key to fetch data from api.euskadi.eus. All scripts (main.py, format_forecast.py, download_images.py) perform actions strictly aligned with the stated purpose, and no indicators of data exfiltration, malicious command execution, or prompt injection were found.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI05: Unexpected Code Execution
What this means

Running the skill executes local Python code that can contact the Euskalmet API and read/write files in the skill directory.

Why it was flagged

The skill tells the user to execute local Python scripts. That is expected for fetching and formatting forecast data, but it means the user is trusting code shipped with the skill.

Skill content
./venv/bin/python3 scripts/main.py && ./venv/bin/python3 scripts/format_forecast.py
Recommendation

Run it only if you trust the skill source, and keep execution scoped to the documented skill directory and virtual environment.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing dependencies can run or import third-party package code inside the virtual environment.

Why it was flagged

The setup uses a Python virtual environment and installs dependencies from requirements.txt. This is a normal Python setup path, but it introduces dependency trust considerations.

Skill content
python3.12 -m venv venv
./venv/bin/pip install -r requirements.txt
Recommendation

Inspect requirements.txt when possible and use the isolated virtual environment as documented.

Note
ASI03: Identity and Privilege Abuse
What this means

The skill scripts can use the configured Euskalmet API credential, and the credential may be stored locally in a .env file.

Why it was flagged

The skill requires provider credentials for the Euskalmet API. This is purpose-aligned and disclosed in SKILL.md, though the registry metadata lists no required environment variables.

Skill content
EUSKALMET_API_EMAIL=your_email@example.com
EUSKALMET_API_PRIVATE_KEY=your_private_key
Recommendation

Use a dedicated/revocable API credential if available, keep the .env file private, and rotate the key if it is exposed.