Weather Reporter
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to generate weather report images as described, but it uses external AI/API services, local API keys, and fixed image filenames that users should manage carefully.
Install only if you are comfortable configuring AI API keys and sending weather prompts to external providers. Use a virtual environment, keep config.json private, and run the script in a dedicated directory because it creates, overwrites, and deletes several fixed PNG files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your AI provider keys may be used for API calls and billing when reports are generated.
The skill asks the user to place provider API keys in config.json. This is disclosed and matches the AI image/tip features, but these are sensitive credentials.
"zhipuAI": { "api_key": "你的智谱AI API密钥" ... }, "llm": { "api_key": "你的LLM API密钥" ... }Use dedicated low-risk API keys, keep config.json private, and rotate keys if the file is exposed.
The selected city and generated weather prompt data may be visible to those external services.
The documentation discloses that weather data and prompts are sent to external weather, image-generation, and LLM providers.
- 数据来源:wttr.in (无需API密钥) ... - **AI 生图** (makeimage.py):智谱AI文生图API ... - 使用任意 OpenAI 协议的 API
Avoid using sensitive or private location details if that is a concern, and review the privacy terms of the configured providers.
Installing dependencies without pins can pull newer or unexpected package versions, and manually downloaded assets should be trusted.
The setup instructions use unpinned package installs and a manually obtained font file. This is common for small Python utilities but leaves dependency versions/provenance to the user.
pip install requests pillow matplotlib scipy pandas openai zhipuai ... simhei.ttf - 若缺失需从github下载:https://github.com/ZYT64/WeatherReporter
Install in a virtual environment, pin package versions where possible, and download the font only from a trusted source.
Existing images with those generic filenames in the current working directory could be removed or overwritten.
On startup, the script deletes fixed relative PNG filenames, apparently to clean its own temporary outputs. Because these paths are relative, running it in a directory containing unrelated files with those names could delete them.
temp_files = ["1.png", "2.png", "3.png", "bg.png", "bg1.png", ...]; ... if os.path.exists(f): os.remove(f)
Run the skill from an isolated working directory, or adjust the code to use a dedicated temporary/output folder.