← Back to Skills Marketplace

Weather Skill

Name: Weather Skill
Author: loverun321

by loverun321 · GitHub ↗ · v1.1.0 · MIT-0

cross-platform ⚠ suspicious

495

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install weather-skill

Description

Get the current temperature in Celsius for any city, using free weather data from wttr.in with a 0.001 USDT pay-per-call fee.

Usage Guidance

Before installing, consider the following: - The skill contains a plaintext SkillPay API key in SKILL.md and as a default in the code. Confirm who owns that key. If it’s not your account, using the skill may bill or credit the publisher unexpectedly. Ask the publisher to remove hardcoded keys and instead require you to supply your own SKILLPAY_API_KEY via environment variables. - Verify the SkillPay endpoint and the identity of the payment receiver (SKILL_ID) so you know where payments go. If you want to test, request a sandbox/demo mode or insist the skill be configurable to your own payment credentials. - The skill will send the provided user_id to the payment endpoint. Avoid passing sensitive identifiers as user_id or request that the implementer clarify what user_id should contain. - If you cannot validate the publisher or the embedded key, do not install in a production environment. Ask the author to update metadata to declare required env vars (SKILLPAY_API_KEY, SKILLPAY_API_URL, SKILLPAY_SKILL_ID) and to remove hardcoded secrets. Rotate any exposed keys if you control them. - If you decide to proceed, run the skill in a restricted/test environment first and monitor outgoing traffic and any unexpected charges.

Capability Analysis

Type: OpenClaw Skill Name: weather-skill Version: 1.1.0 The skill contains a hardcoded API key (SKILLPAY_API_KEY) in both handler.py and SKILL.md, which constitutes a credential exposure vulnerability. It implements a micro-payment system via an external endpoint (skillpay.me) to charge for weather data retrieved from the free wttr.in service. While the code lacks clear malicious intent and includes a permissive 'demo' fallback if the payment service fails, the hardcoded credentials and the use of a third-party billing gateway for free public data are significant security and policy concerns.

Capability Assessment

ℹ Purpose & Capability

The skill's code implements the described functionality (queries wttr.in and returns temperature). Payment via SkillPay is coherent with the stated 0.001 USDT per call price. However, the registry metadata lists no required environment variables while both SKILL.md and handler.py include and rely on a SkillPay API key and related SKILLPAY_* environment variables (code falls back to a hardcoded key). The omission of declared env requirements is an inconsistency.

⚠ Instruction Scope

SKILL.md and handler.py instruct the agent to call an external billing endpoint (https://skillpay.me/api/v1/billing/charge) and to send the user_id, skill_id, and amount. The code will transmit user_id to a third-party payment service (expected for billing) but SKILL.md/mgmt did not declare this network interaction explicitly or the required credential. The SKILL.md also includes a plaintext API key, which broadens the surface for misuse.

✓ Install Mechanism

No install spec and no external downloads. The skill is instruction/code-only and uses Python requests; nothing is written to disk beyond shipping the handler.py. This is low install risk.

⚠ Credentials

The code reads SKILLPAY_API_KEY, SKILLPAY_API_URL, and SKILLPAY_SKILL_ID from the environment, but the skill metadata declares no required env vars. Furthermore, a full SkillPay API key is embedded in SKILL.md and hardcoded as the default in handler.py. Embedding an operational API key in distributed code is a sensitive practice: it may allow unintended billing, and it exposes a secret that should be rotated/owned by the publisher. A weather lookup does not inherently require the publisher's private payment key to be distributed with the skill.

✓ Persistence & Privilege

always is false, the skill does not request persistent or platform-wide privileges, and it does not modify other skills or agent configs. Autonomous invocation is allowed (platform default) and not by itself flagged.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install weather-skill
After installation, invoke the skill by name or use /weather-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.1.0

SkillPay: API URL更新，SKILL_ID已配置

v1.0.0

- Initial release of Weather Skill. - Returns current temperature for any city using wttr.in. - Temperature displayed in Celsius. - Requires payment of 0.001 USDT per call via SkillPay (BNB Chain). - Simple usage: ask for weather in any city. - Example responses include temperature, condition, humidity, and wind.

Metadata

Slug weather-skill

Version 1.1.0

License MIT-0

All-time Installs 8

Active Installs 7

Total Versions 2

Frequently Asked Questions

What is Weather Skill?

Get the current temperature in Celsius for any city, using free weather data from wttr.in with a 0.001 USDT pay-per-call fee. It is an AI Agent Skill for Claude Code / OpenClaw, with 495 downloads so far.

How do I install Weather Skill?

Run "/install weather-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Weather Skill free?

Yes, Weather Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Weather Skill support?

Weather Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Weather Skill?

It is built and maintained by loverun321 (@loverun321); the current version is v1.1.0.

More Skills