Back to skill
Skillv1.0.0
ClawScan security
Tübingen Weather Graphics · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 6:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with its stated purpose of generating a 5-day Tübingen weather graphic from open-meteo.com and sending it; there are no unexplained credential requests or suspicious endpoints.
- Guidance
- This skill appears to do exactly what it says: fetch public forecast data from open-meteo and render a PNG. Before installing, consider: 1) whether you want the optional cron scheduling that will cause the agent to automatically run the script and send images (ensure the destination channel is correct and authorized), 2) create the venv and install the required Python packages (note the doc lists numpy and pillow but the example only installs matplotlib), and 3) verify the output path (data/weather/...) is acceptable. No secrets are requested and no hidden endpoints were found.
Review Dimensions
- Purpose & Capability
- okName/description match the included script and instructions. The script fetches forecast data from open-meteo.com and produces a PNG; no unrelated credentials, binaries, or services are requested.
- Instruction Scope
- noteSKILL.md stays within the task: it instructs creating a venv, installing plotting libs, running the script, and (optionally) scheduling a cron job that tells the agent to run the script and send the PNG. The cron example includes an automated send to 'Master' (e.g., via Telegram) — expected for automated posting but worth noting because it enables periodic network calls and automatic outbound messages.
- Install Mechanism
- okNo install spec is provided (instruction-only) and the example uses a local venv + pip. This is low-risk; the script is included in the bundle. Minor documentation inconsistency: prerequisites list matplotlib, numpy, pillow, but the pip example only shows 'pip install matplotlib' (matplotlib typically pulls numpy but not pillow).
- Credentials
- okThe skill requests no environment variables, no secrets, and the code only accesses a public open-meteo API endpoint. There are no requests for unrelated credentials or config paths.
- Persistence & Privilege
- notealways:false (normal). The SKILL.md shows how to schedule an OpenClaw cron job that will autonomously run the script and send the result — this is expected for periodic forecast posting but users should be aware that enabling the cron will cause recurring network calls and automatic outbound messages.