ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My Local Weather

v1.0.0

Provides real-time local weather, forecasts, alerts, and historical data with unit conversion, using a configurable API key for privacy-focused, fast access.

0· 63·0 current·0 all-time
by@zywss·fork of @steipete/weather (1.0.0)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose (weather data via configurable API key) is reasonable, but the SKILL.md asks for a WEATHER_API_KEY and lists axios/dotenv as dependencies while the shipped package.json and code use only node-fetch and do not read any API key. Registry metadata also declares no required env vars. The capabilities claimed are achievable, but the packaging and docs are inconsistent with the code.
!
Instruction Scope
SKILL.md instructs the agent to use a provider API key (WEATHER_API_KEY), optionally load .env, and mentions axios/dotenv; index.js instead queries wttr.in and never accesses environment variables or dotenv. The instructions therefore ask the agent to handle secrets/config that the code does not use, increasing the chance a user will expose an API key unnecessarily.
Install Mechanism
There is no install spec (instruction-only style), but the package.json/lock are included and list node-fetch from a public npm mirror. No downloads from untrusted URLs or extract operations are present. The mismatch between declared (in SKILL.md) and actual dependencies is the main concern, not the install mechanism itself.
!
Credentials
SKILL.md requests WEATHER_API_KEY (and suggests .env usage) even though the code does not use any environment variables; registry metadata lists no required env. Requesting an API key would be proportionate for a weather skill, but here it is unnecessary and could lead users to supply secrets that the skill never needs — a red flag for possible mis-documentation or future unauthorized use.
Persistence & Privilege
The skill does not request elevated or persistent privileges: always:false, no config-paths, no special OS restrictions. It does not modify other skills or system-wide settings based on the provided files.
What to consider before installing
Do not install or provide API keys until these inconsistencies are resolved. Specific steps you can take: 1) Ask the publisher to explain why SKILL.md asks for WEATHER_API_KEY and lists axios/dotenv while the code uses wttr.in and node-fetch; request a corrected SKILL.md or updated code. 2) Verify the owner ID and source (ownerId in _meta.json differs from registry owner listed) and prefer skills with a known source/homepage. 3) If you still want to test it, run it in a sandboxed environment without supplying any real API keys or secrets. 4) If you intend to use an API key, confirm the code actually reads the environment variable and handles it securely before providing one.

Like a lobster shell, security has layers — review code before you run it.

latestvk9732redjgtcdays25ray868cn83eq9m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments