weather-cn-fixed
WarnAudited by ClawScan on May 10, 2026.
Overview
This weather skill mostly matches its stated purpose, but its script evaluates text derived from a website as shell code, which could let a malicious weather-page response run local commands.
Install only if you are comfortable reviewing or patching the shell script. The intended weather lookup is simple and credential-free, but the eval usage should be fixed before routine use, and the package metadata/path mismatch should be clarified.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or maliciously altered weather page response could potentially cause commands to run on the user's machine when the weather script is invoked.
The script downloads remote HTML, derives WEATHER from parsed page content, emits it as an assignment string, and later runs eval on that string. If the parsed remote content contains shell metacharacters or command substitutions, eval can execute them locally.
html=$(curl -s --max-time 10 "$url" 2>/dev/null) ... echo "WEATHER=${weather:-未知}" ... eval "$data"Remove eval and parse key/value output safely, for example by assigning variables directly or reading only expected keys with strict validation and quoting.
Users may have difficulty confirming they installed the intended package or following the documented install path.
The registry metadata describes weather-cn-fixed version 1.0.2, while the packaged _meta.json says weather-cn version 1.0.1 and SKILL.md names weather-zh. This inconsistency does not prove unsafe behavior, but it is a packaging/provenance mismatch users should notice.
"slug": "weather-cn", "version": "1.0.1"
Publish consistent registry metadata, _meta.json, SKILL.md name, and documented skill path before relying on the package.