← 返回 Skills 市场
2029
总下载
3
收藏
23
当前安装
2
版本数
在 OpenClaw 中安装
/install weather-cn
功能描述
中文天气查询工具 - 使用中国天气网获取实时天气(无需API密钥,不依赖大模型)
安全使用建议
The skill is functionally coherent, but the bundled script uses eval on data derived from fetched HTML (and therefore untrusted). That creates a real risk of command injection if the remote page or the local city file is maliciously modified. Before installing or running: (1) review or run the script only in an isolated environment (container or low-privilege account); (2) avoid running it as root; (3) fix the code by removing eval — parse the key=value output safely (for example, read lines and assign variables explicitly or whitelist keys and sanitize values), or escape values before eval; (4) verify weather_codes.txt hasn't been tampered with; (5) consider adding strict input validation on city_code (digits only) and stricter extraction of values (strip quotes/unsafe characters). If you want, I can provide a patched version of the script that avoids eval and is safer to run.
功能分析
Type: OpenClaw Skill
Name: weather-cn
Version: 1.0.1
The skill is classified as suspicious primarily due to the use of `eval "$data"` in the `format_output` function within `weather-cn.sh`. While the input `$data` is derived from `grep` and `sed` operations with specific patterns on external HTML, `eval` is an inherently dangerous function that introduces a shell injection vulnerability. Although the current parsing logic makes direct exploitation difficult, it's a critical security flaw. The skill also uses `curl` to fetch data from an external website (weather.com.cn), which is expected for its functionality but represents a network access capability.
能力评估
Purpose & Capability
Name/description match the implementation: the skill is a bash script that fetches weather from weather.com.cn using curl/grep and a local city->code map. Required binaries (curl, grep) and files (weather_codes.txt) are appropriate and proportional.
Instruction Scope
SKILL.md instructs running the bundled script, which fetches remote HTML and parses it locally. The script outputs key=value lines and then uses eval "$data" in format_output — evaluating untrusted content from the network (or a modified local file) can lead to arbitrary shell command execution. Parsing HTML with grep/sed is brittle and may produce unexpected strings that make eval dangerous. This is scope-consistent but contains an unsafe coding pattern.
Install Mechanism
No install spec (instruction-only); there are no remote downloads or installs. That limits install-time risk. Shipping a script file is expected for this kind of skill.
Credentials
The skill requests no environment variables or credentials. Network access to www.weather.com.cn is required and expected. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide changes or elevated privileges. It's user-invokable and behaves like a normal, ephemeral script.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install weather-cn - 安装完成后,直接呼叫该 Skill 的名称或使用
/weather-cn触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- 更新使用示例中的脚本路径为用户主目录下的标准路径,提升通用性
- 其余内容保持不变,无代码或功能变动
v1.0.0
Initial release of weather-zh (formerly weather-cn):
- 中文天气查询脚本工具,直接抓取中国天气网数据,无需API密钥、无大模型依赖
- 支持50+中国主要城市,预置城市代码表,可手动扩展
- 全Bash实现,依赖curl和grep,极速<1秒响应
- 格式化输出,包含天气、温度、生活指数等信息
- Token消耗为0,适合高频、自动化调用
- 附详细文档和用法说明
元数据
常见问题
中国城市天气Weather in China 是什么?
中文天气查询工具 - 使用中国天气网获取实时天气(无需API密钥,不依赖大模型). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2029 次。
如何安装 中国城市天气Weather in China?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install weather-cn」即可一键安装,无需额外配置。
中国城市天气Weather in China 是免费的吗?
是的,中国城市天气Weather in China 完全免费(开源免费),可自由下载、安装和使用。
中国城市天气Weather in China 支持哪些平台?
中国城市天气Weather in China 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 中国城市天气Weather in China?
由 kenera(@kenera)开发并维护,当前版本 v1.0.1。
推荐 Skills