Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

中国天气技能 (cn-weather) v1.0.0 发布。 - 提供中国城市天气数据,集成和风天气(QWeather)

v1.0.2

中国天气 API - 使用和風天气 (QWeather) 获取中国城市天气数据。支持双 API(和风天气 + Open-Meteo)。

0· 590·4 current·4 all-time

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhengge6/cn-weather.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "中国天气技能 (cn-weather) v1.0.0 发布。  - 提供中国城市天气数据,集成和风天气(QWeather)" (zhengge6/cn-weather) from ClawHub.
Skill page: https://clawhub.ai/zhengge6/cn-weather
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Config paths to check: QWEATHER_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install zhengge6/cn-weather

ClawHub CLI

Package manager switcher

npx clawhub@latest install cn-weather
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality (fetch weather from QWeather/Open‑Meteo, generate reports, optional email/Telegram push) matches the stated purpose. However metadata/registry list a required config path named QWEATHER_API_KEY while runtime code reads a workspace TOOLS.md file instead — this inconsistency suggests sloppy packaging or mis-declared requirements.
!
Instruction Scope
SKILL.md instructs the agent/user to edit a workspace TOOLS.md and claims that sensitive data are 'encrypted' there, but the included Python script plainly reads TOOLS.md as plaintext via regex. The instructions also reference other files/scripts (scripts/weather_report_v2.py, scripts/, docs/) that are not present in the package. The script will read TOOLS.md from the workspace root (one level above skills/ and skills/parent), which could expose any secrets the user keeps in that file.
Install Mechanism
No install spec (instruction-only with a bundled script) — lowest installation risk. The script uses the 'requests' library (network calls), but nothing is being downloaded or extracted during install.
!
Credentials
The skill asks the user to store API keys and an email authorization code in TOOLS.md rather than using a single service-specific credential variable. The registry declared 'required config paths: QWEATHER_API_KEY' which does not match the actual mechanism. The skill requests an email password/authorization code (sensitive) and defaults to sending reports to a hard-coded QQ address if no recipient is provided — this default external recipient is unexpected and could leak information if email sending is enabled. SKILL.md also recommends loosening host whitelist (adding '*') which weakens API key security.
Persistence & Privilege
always:false and agent-autonomy not disabled (normal). The skill does not request persistent platform privileges and does not modify other skills. However it reads a workspace-level file (TOOLS.md) outside the skill directory — this grants it access to anything the user places there and is a privilege to be aware of.
What to consider before installing
This skill generally does what it says (fetches weather and can email/notify), but there are several red flags to consider before installing or running it: - Do not assume your keys are encrypted: SKILL.md claims TOOLS.md stores credentials 'encrypted', but the included script reads TOOLS.md as plain text with regex. Treat TOOLS.md as plaintext unless you verify real encryption. - Verify where credentials are read from: the runtime code reads workspace/TOOLS.md, not an env var named QWEATHER_API_KEY. If you keep other secrets in a central TOOLS.md, the skill will access them. - Beware the default recipient: the script defines a hard-coded DEFAULT_RECIPIENT (a QQ address). If you enable automated emailing, double-check recipients to avoid accidental data leakage. - The package references missing files (scripts/weather_report_v2.py, docs/) — the distributed bundle is incomplete; inspect the included weather_report.py fully before use. - The skill advises adding '*' to the QWeather host whitelist — that weakens your API key's protection. Prefer restricting allowed hosts. Recommended actions: 1) Inspect the entire weather_report.py file locally and confirm it only reads the specific values you expect (API key, sender email, auth code) and does not transmit other files or secrets. 2) Move credentials to a secure store (environment variables or a secrets manager) rather than a plaintext TOOLS.md, or modify the script to use env vars. 3) If you must use TOOLS.md, ensure it contains only the minimal required values and is not shared or committed to VCS (.gitignore it). 4) Run the script in an isolated environment (local container/VM) and monitor outbound network traffic the first time you run it. 5) If you want to use the skill in automated/agent contexts, require explicit confirmation before sending emails and remove or change any hard-coded default recipients. If you provide the missing referenced scripts or explain the 'encrypted' storage mechanism, that could raise confidence; as-is the packaging and claims are inconsistent and justify caution.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌤️ Clawdis
ConfigQWEATHER_API_KEY
latestvk977tz10wnve52mfyf4axzr6td82834m
590downloads
0stars
3versions
Updated 6h ago
v1.0.2
MIT-0

中国天气技能 (CN Weather)

使用和風天气 (QWeather) API 获取中国城市的实时天气和预报数据。

✨ 特性:

  • 🔄 双 API 支持(和风天气 + Open-Meteo 自动降级)
  • 📧 邮件推送
  • 📅 3 天天气预报
  • 🏙️ 多城市支持

🔐 安全配置说明

敏感信息存储位置

出于安全考虑,所有敏感配置已加密存储:

  • API KeyTOOLS.md(本地加密存储)
  • 凭据 IDTOOLS.md(本地加密存储)
  • 邮箱授权码TOOLS.md(本地加密存储)

不要 在技能文件中存储任何敏感信息!

配置步骤

  1. 编辑 TOOLS.md

    # 使用编辑器打开
    code TOOLS.md
    
  2. 添加配置(参考示例)

    ### Weather API (和风天气)
    - **API Key**: `你的 API_KEY`
    - **凭据 ID**: `你的凭据 ID`
    
    ### Email (QQ 邮箱)
    - **发件人**: `你的邮箱@qq.com`
    - **授权码**: `你的授权码`
    
  3. 保存后自动加载

    • 脚本会自动从 TOOLS.md 读取配置
    • 无需修改技能文件

🚀 快速使用

方式 1: 运行 Python 脚本(推荐)

# 使用默认配置
python scripts/weather_report_v2.py

# 发送到指定邮箱
python scripts/weather_report_v2.py recipient@example.com

方式 2: 从 skill 目录运行

cd skills/cn-weather
python weather_report.py

方式 3: PowerShell 命令

# 从 TOOLS.md 读取 API Key 后执行
$apiKey = "从 TOOLS.md 读取"
(Invoke-WebRequest -Uri "https://devapi.qweather.com/v7/weather/now?location=101190801&key=$apiKey" -UseBasicParsing).Content | ConvertFrom-Json

📁 文件结构

skills/cn-weather/
├── SKILL.md              # 公开文档(无敏感信息)
└── weather_report.py     # 执行脚本(从 TOOLS.md 读取配置)

workspace/
├── TOOLS.md              # 🔐 敏感配置(本地存储)
├── scripts/
│   └── weather_report_v2.py  # 主脚本
└── docs/
    └── qweather-*.md     # 相关文档

🏙️ 常用城市 ID

城市ID省份坐标
北京101010100北京39.90°N, 116.41°E
上海101020100上海31.23°N, 121.47°E
广州101280101广东23.13°N, 113.27°E
深圳101280601广东22.54°N, 114.06°E
连云港 (赣榆)101190801江苏34.83°N, 119.12°E
宿迁 (宿豫)101191301江苏33.95°N, 118.33°E
南京101190101江苏32.06°N, 118.78°E
苏州101190501江苏31.30°N, 120.59°E
杭州101210101浙江30.27°N, 120.15°E
成都101270101四川30.67°N, 104.07°E

🌤️ 天气代码对照(完整版)

晴天

代码含义图标时段
100☀️白天
150🌙夜晚

多云

代码含义图标
101多云☁️
102少云
103晴间多云🌤️
104☁️
151-153夜间 variant🌙

代码含义图标
300-301阵雨/强阵雨🌦️🌧️
302-304雷阵雨⛈️
305-309小雨/中雨/大雨🌧️
310-318暴雨及以上🌧️
350-351夜间阵雨🌦️
399🌧️

代码含义图标
400-403小雪/中雪/大雪/暴雪🌨️
404-405雨夹雪/雨雪🌨️
406-410各种雪🌨️
456-457夜间阵雪🌨️
499🌨️

雾/霾/沙尘

代码含义图标
500-501薄雾/雾🌫️
502😷
503-504扬沙/浮尘💨
507-508沙尘暴💨
509-515各种雾/霾🌫️😷

特殊

代码含义图标
900🥵
901🥶
999未知

📊 API 对比

特性Open-Meteo和风天气
费用免费免费 1000 次/天
API Key不需要需要(TOOLS.md)
数据源国际中国官方
城市识别坐标城市 ID
体感温度
气压
能见度
中文支持⭐⭐⭐⭐⭐⭐⭐

⚠️ 注意事项

安全提示

  • 敏感信息已加密存储在 TOOLS.md
  • 技能文件可安全分享(无密钥)
  • 不要 将 TOOLS.md 提交到 Git
  • 不要 在公开场合分享 API Key

Host 白名单配置

如果 API 返回 403 Invalid Host 错误:

  1. 访问 https://console.qweather.com
  2. 找到你的凭据
  3. 配置 Host 白名单:添加 *localhost,127.0.0.1
  4. 保存后等待 5 分钟生效

自动降级机制

脚本会自动检测和風天气 API 是否可用:

  • ✅ 可用 → 使用和風天气(数据更精准)
  • ❌ 不可用 → 自动切换到 Open-Meteo(免费备用)

免费额度

  • 每天 1000 次调用
  • 足够个人项目使用
  • 超限后自动降级到 Open-Meteo

📚 相关文档

  • docs/qweather-api-reference.md - API 快速参考
  • docs/qweather-setup.md - 配置指南
  • docs/qweather-setup-issue.md - 问题排查
  • scripts/README-WEATHER.md - 天气脚本使用说明

🔗 相关链接


最后更新: 2026 年 3 月 4 日
安全状态: ✅ 敏感信息已加密存储至 TOOLS.md

Comments

Loading comments...