ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

weather-report-skills

v1.0.0

天气播报格式化技能。当用户询问天气、查看天气预报、或需要生成天气报告时触发。技能包含完整的天气信息格式化模板,支持今天/明天/后天三种类型,以及时间段的斜体规则。

0· 35·0 current·0 all-time
by@zhjx94264
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose is a formatting/template skill for weather reports, and the runtime instructions fetch and format weather data (coherent). However the curl example is hardcoded to "Tianjin" while templates use a generic [地点] placeholder — limiting real-world usefulness and inconsistent with the description.
Instruction Scope
SKILL.md instructs the agent to call an external endpoint (wttr.in), run date, and run a python3 one-liner to parse JSON. The instructions do not reference unrelated files, secrets, or other endpoints, but they do require network access and assume system binaries exist. No unexpected data exfiltration or hidden endpoints are present.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing is written to disk by an installer — lowest install risk.
!
Credentials
The skill declares no required binaries or environment variables, yet runtime instructions call curl, date, and python3. That's an incoherence (missing declared requirements). The skill does not request credentials or sensitive env vars (good).
Persistence & Privilege
always:false and no install steps — the skill does not request elevated persistence or modify other skills; autonomous invocation remains the platform default.
What to consider before installing
This skill is largely harmless but sloppy: it fetches weather from wttr.in and formats it. Before installing, consider: 1) The curl example is hardcoded to "Tianjin" — if you need other locations the skill must be modified to accept a user-specified place. 2) The SKILL.md calls curl, date, and python3 but the manifest lists no required binaries — ensure your agent environment has these tools. 3) The skill makes network requests to wttr.in (no credentials), so confirm you are comfortable allowing that external call and check rate/usage limits and privacy implications. 4) Because this is instruction-only with no code, it has low install risk, but double-check that templates handle time zones correctly and that the agent won't be given broader permissions to run unrelated shell commands. If you want to proceed, ask the author to parameterize the location, declare required binaries, and confirm compliance with your privacy/policy needs.

Like a lobster shell, security has layers — review code before you run it.

chinesevk977ea02f7ehgn62nstma82tmd83y8ctlatestvk977ea02f7ehgn62nstma82tmd83y8ctutilityvk977ea02f7ehgn62nstma82tmd83y8ctweathervk977ea02f7ehgn62nstma82tmd83y8ct

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments