Back to skill
Skillv0.1.1
ClawScan security
Global Weather Service · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 3:38 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a weather lookup + scheduled subscription service powered by Open‑Meteo and do not request unrelated secrets or install arbitrary third‑party code.
- Guidance
- This skill appears to do what it claims: generate Open‑Meteo weather reports and create real scheduled deliveries via the OpenClaw CLI. Before installing, verify that you trust the OpenClaw runtime (openclaw.cmd) because the subscription manager invokes that CLI to create cron jobs and pass messages/targets. Review data/subscriptions.json for any existing targets you don't recognize (they will be used for delivery). If you don't want scheduled pushes, avoid creating subscriptions or remove existing entries. No API keys or external installers are required and network requests go only to Open‑Meteo geocoding/forecast endpoints according to the code.
Review Dimensions
- Purpose & Capability
- okName/description (one‑time queries + scheduled subscriptions) matches the included scripts and data files. The code only uses Open‑Meteo endpoints for weather data and local JSON files for subscriptions/timezones. The subscription manager invokes an OpenClaw CLI to create cron jobs, which is expected for scheduling behaviour.
- Instruction Scope
- okSKILL.md instructs running the included Python scripts and managing subscriptions; the scripts read/write only the stated data files and call Open‑Meteo. There are no instructions to read unrelated files or exfiltrate secrets. The subscription flow requires creating real cron jobs via an OpenClaw command, which is consistent with the stated feature.
- Install Mechanism
- okNo install spec or external archive downloads. This is an instruction + bundled script skill; all code is present in the repo and nothing is fetched or extracted at install time.
- Credentials
- okThe skill declares no required environment variables or credentials. It does store and use local subscription/ timezone data and expects an OpenClaw CLI (openclaw.cmd) for cron operations. No unrelated cloud credentials or secrets are requested.
- Persistence & Privilege
- noteThe skill is not always-enabled and does not request special platform privileges. It does create scheduled cron jobs by invoking the OpenClaw CLI — this gives the skill persistent scheduled delivery behaviour, which is expected for subscriptions and should be allowed only in a trusted OpenClaw environment.