weather-cn-pro
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent weather lookup skill, but its shell script can evaluate data parsed from an external weather page as local shell commands.
Only install if you are comfortable with a shell script making external weather-provider requests. Before routine use, the publisher should remove the eval so webpage content can never be interpreted as a command.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or malicious weather response could potentially run commands on the user's machine with the user's privileges when the skill is invoked.
The script fetches remote HTML, converts parsed values into shell assignment text, and then evaluates that text with eval. If the fetched page or parsed title contains shell syntax, it could be executed locally.
html=$(fetch_weather "$city_code") current_data=$(parse_current "$html") ... local data="$@" eval "$data"
Remove eval and treat fetched webpage content strictly as data. Assign parsed values directly or use safe parsing/escaping rather than evaluating generated shell text.
Normal use sends city weather requests to the weather provider. The extra AQI endpoint is not called by the current main flow, but it should be documented or removed to avoid ambiguity.
The main weather.com.cn request is purpose-aligned, but the file also includes an unused helper that would contact api.aooi.com even though SKILL.md describes China Weather as the data source.
local url="https://www.weather.com.cn/weather/${city_code}.shtml"
html=$(curl -s --max-time 10 "$url" 2>/dev/null)
...
local aqi_data=$(curl -s --max-time 5 "https://api.aooi.com/weather/index?city=${city}" 2>/dev/null)Disclose all external endpoints that may be used, and remove unused network helpers if they are not part of the intended skill.