Back to skill
Skillv1.0.1
ClawScan security
国内天气查询技能 - 基于uapis.cn免费API。支持全国3000+城市,无需注册和API密钥 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 4:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it only issues simple curl requests to a public weather API (uapis.cn) and does not request credentials or elevated privileges.
- Guidance
- This skill is low-risk and behaves as described, but consider the following before installing: 1) Queries (city names) are sent to the third-party service uapis.cn — if you have privacy concerns about sending location queries externally, do not install. 2) The skill has no source/homepage listed, so you cannot audit the provider or confirm SLA/uptime; it depends on availability and reliability of uapis.cn. 3) No credentials are requested and no files are accessed, so there is no obvious exfiltration vector beyond the API calls. 4) Ensure curl is available in the runtime environment. 5) If you need stronger privacy or reliability guarantees, prefer an official/known weather API with documented terms and rate limits.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: SKILL.md instructs the agent to query uapis.cn for weather by city name. The only required binary is curl, which is appropriate and proportionate.
- Instruction Scope
- okInstructions are limited to calling the uapis.cn weather endpoint and interpreting its JSON response. The skill does not instruct the agent to read local files, access unrelated environment variables, or send data to other endpoints. Note: user queries (city names) will be sent to the third-party API.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Nothing is written to disk or downloaded during install.
- Credentials
- okNo environment variables, credentials, or config paths are requested; this is proportional to a simple weather lookup skill.
- Persistence & Privilege
- okThe skill is not always-on and does not request persistent/system-level privileges. Model invocation is allowed (platform default), which is reasonable for this kind of skill.