weather-cn-fixed
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or maliciously altered weather page response could potentially cause commands to run on the user's machine when the weather script is invoked.
The script downloads remote HTML, derives WEATHER from parsed page content, emits it as an assignment string, and later runs eval on that string. If the parsed remote content contains shell metacharacters or command substitutions, eval can execute them locally.
html=$(curl -s --max-time 10 "$url" 2>/dev/null) ... echo "WEATHER=${weather:-未知}" ... eval "$data"Remove eval and parse key/value output safely, for example by assigning variables directly or reading only expected keys with strict validation and quoting.
Users may have difficulty confirming they installed the intended package or following the documented install path.
The registry metadata describes weather-cn-fixed version 1.0.2, while the packaged _meta.json says weather-cn version 1.0.1 and SKILL.md names weather-zh. This inconsistency does not prove unsafe behavior, but it is a packaging/provenance mismatch users should notice.
"slug": "weather-cn", "version": "1.0.1"
Publish consistent registry metadata, _meta.json, SKILL.md name, and documented skill path before relying on the package.