← Back to Skills Marketplace
2029
Downloads
3
Stars
23
Active Installs
2
Versions
Install in OpenClaw
/install weather-cn
Description
中文天气查询工具 - 使用中国天气网获取实时天气(无需API密钥,不依赖大模型)
Usage Guidance
The skill is functionally coherent, but the bundled script uses eval on data derived from fetched HTML (and therefore untrusted). That creates a real risk of command injection if the remote page or the local city file is maliciously modified. Before installing or running: (1) review or run the script only in an isolated environment (container or low-privilege account); (2) avoid running it as root; (3) fix the code by removing eval — parse the key=value output safely (for example, read lines and assign variables explicitly or whitelist keys and sanitize values), or escape values before eval; (4) verify weather_codes.txt hasn't been tampered with; (5) consider adding strict input validation on city_code (digits only) and stricter extraction of values (strip quotes/unsafe characters). If you want, I can provide a patched version of the script that avoids eval and is safer to run.
Capability Analysis
Type: OpenClaw Skill
Name: weather-cn
Version: 1.0.1
The skill is classified as suspicious primarily due to the use of `eval "$data"` in the `format_output` function within `weather-cn.sh`. While the input `$data` is derived from `grep` and `sed` operations with specific patterns on external HTML, `eval` is an inherently dangerous function that introduces a shell injection vulnerability. Although the current parsing logic makes direct exploitation difficult, it's a critical security flaw. The skill also uses `curl` to fetch data from an external website (weather.com.cn), which is expected for its functionality but represents a network access capability.
Capability Assessment
Purpose & Capability
Name/description match the implementation: the skill is a bash script that fetches weather from weather.com.cn using curl/grep and a local city->code map. Required binaries (curl, grep) and files (weather_codes.txt) are appropriate and proportional.
Instruction Scope
SKILL.md instructs running the bundled script, which fetches remote HTML and parses it locally. The script outputs key=value lines and then uses eval "$data" in format_output — evaluating untrusted content from the network (or a modified local file) can lead to arbitrary shell command execution. Parsing HTML with grep/sed is brittle and may produce unexpected strings that make eval dangerous. This is scope-consistent but contains an unsafe coding pattern.
Install Mechanism
No install spec (instruction-only); there are no remote downloads or installs. That limits install-time risk. Shipping a script file is expected for this kind of skill.
Credentials
The skill requests no environment variables or credentials. Network access to www.weather.com.cn is required and expected. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide changes or elevated privileges. It's user-invokable and behaves like a normal, ephemeral script.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install weather-cn - After installation, invoke the skill by name or use
/weather-cn - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- 更新使用示例中的脚本路径为用户主目录下的标准路径,提升通用性
- 其余内容保持不变,无代码或功能变动
v1.0.0
Initial release of weather-zh (formerly weather-cn):
- 中文天气查询脚本工具,直接抓取中国天气网数据,无需API密钥、无大模型依赖
- 支持50+中国主要城市,预置城市代码表,可手动扩展
- 全Bash实现,依赖curl和grep,极速<1秒响应
- 格式化输出,包含天气、温度、生活指数等信息
- Token消耗为0,适合高频、自动化调用
- 附详细文档和用法说明
Metadata
Frequently Asked Questions
What is 中国城市天气Weather in China?
中文天气查询工具 - 使用中国天气网获取实时天气(无需API密钥,不依赖大模型). It is an AI Agent Skill for Claude Code / OpenClaw, with 2029 downloads so far.
How do I install 中国城市天气Weather in China?
Run "/install weather-cn" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 中国城市天气Weather in China free?
Yes, 中国城市天气Weather in China is completely free (open-source). You can download, install and use it at no cost.
Which platforms does 中国城市天气Weather in China support?
中国城市天气Weather in China is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 中国城市天气Weather in China?
It is built and maintained by kenera (@kenera); the current version is v1.0.1.
More Skills