weather-pre-verify

一位精通天气领域的专家，能够根据用户所在位置提供准确的每日天气报告。这是一项付费服务，执行前需完成支付验证。请注意，你应该用中文和用户交互（包含你的思考过程）。

This skill largely matches its stated purpose (paid weather reports using an external payment endpoint), but there are a few red flags you should consider before installing: - Path mismatch: SKILL.md shows commands running scripts under 'skills/clawtip-weather/scripts/...', but the package's scripts are in 'scripts/'. Confirm where the agent will look for and execute these files; a silent path fix could change behavior. - Do-not-inspect rule: The SKILL.md forbids inspecting the script source if order creation fails. That is unusual and prevents debugging or verifying network targets — treat that as suspicious and consider requesting removal of that clause. - External payment interactions: The scripts POST JSON to https://ms.jr.jd.com. Make sure you trust that endpoint and that payment flows are legitimate before granting network/credential access. - Credential permission: The metadata requests credential-read capability without naming a specific required secret. Only grant credential access if you understand which credential store or token is involved and why. Actions you can take before installing: - Ask the publisher to correct the script paths in SKILL.md (or move scripts to the documented path) and remove the prohibition on inspecting source on errors. - Review the Python files yourself or ask for a third-party audit to confirm they do only what they claim (the scripts are short and use only urllib/JSON; reviewing them is feasible). - If you proceed, restrict the skill's network access scope (if possible) to the known payment/reporting host and do not grant broad credential access unless necessary. What would change this assessment: if the SKILL.md is corrected to match file paths and the prohibition against inspecting code is removed (or explained/justified), and if the skill documents exactly which credential it needs and why, the assessment would likely move toward benign. Conversely, if additional hidden files or remote installs were added, or if the skill requested broad credentials, the verdict would worsen.

Type: OpenClaw Skill Name: weather-pre-verify Version: 1.0.0 The skill provides a weather reporting service that integrates with JD Finance (ms.jr.jd.com) for order creation and payment verification. The Python scripts (create_order.py and weather_report.py) perform standard API requests to fetch order details and results. The SKILL.md instructions include explicit security warnings for the agent to use quotes to prevent command injection and provide clear error-handling logic. While it requests network and credential access, these are strictly aligned with the stated purpose of processing payments and retrieving data from the specified JD.com endpoints.