← 返回 Skills 市场
weather-query-ych
作者
yuancaihua
· GitHub ↗
· v1.0.0
422
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install weather-query-ych
功能描述
查询指定城市和日期的天气预报,提供天气状况及温度范围,支持中文城市名和日期解析。
安全使用建议
This skill appears to do weather lookups, but the author put an API key directly in the code and did not declare any required credentials — that's a red flag. Before installing: (1) ask the publisher to explain the API key origin and revoke it if it's private; (2) prefer a version that accepts an API key via an environment variable or configuration you control; (3) verify the external endpoint (the code uses api.weather.com-style URLs) and ensure it's trustworthy; (4) if you must use it, monitor network activity and consider running it in an isolated environment. If you cannot verify the key/provider, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill
Name: weather-query-ych
Version: 1.0.0
The skill is classified as suspicious due to significant vulnerabilities related to input sanitization. The `agent.py` file directly interpolates user-provided `city` and `date` values into the API URL without validation, creating a URL injection/SSRF vulnerability. This could allow an attacker to manipulate the API endpoint or potentially target internal network resources if the environment permits. Additionally, the hardcoded API key is a security bad practice, and the naive input parsing `input_text.split("天气")[0]` further exacerbates the risk of malformed input reaching the vulnerable URL construction.
能力评估
Purpose & Capability
Name/description match a simple weather lookup and the code indeed calls an external weather API, but the skill declares no credentials or provider while the code contains an embedded API key and a non-standard URL format. A weather skill would normally request the user's own API key or document the provider — the hard-coded key is unexpected.
Instruction Scope
SKILL.md instructs the agent to parse city/date and call a weather API, which is in-scope. However the runtime code hard-codes an API key and a specific request URL pattern not described in SKILL.md, reducing transparency and giving the skill unilateral network access to an external service without documenting it.
Install Mechanism
No install spec (instruction-only) and no package installation; the only code is a small Python file that uses requests. No additional installers or remote downloads were found.
Credentials
The skill declares no required environment variables or credentials but embeds a literal API key in agent.py. Embedding credentials in code is disproportionate, risks leaking the key, and prevents users from supplying their own credentials as expected.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or system-wide configuration changes. It will perform outbound network requests when invoked, which is expected for a weather lookup.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install weather-query-ych - 安装完成后,直接呼叫该 Skill 的名称或使用
/weather-query-ych触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release with simplified implementation and usage:
- Replaced shell script execution with a Python agent for weather queries.
- Updated documentation to focus on concise usage, sample inputs, and clear output formats.
- Simplified output: formatted text response with city, date, weather status, and temperature range.
- Added clear error handling for unrecognized cities and API failures.
- Removed legacy shell scripts and related usage instructions.
元数据
常见问题
weather-query-ych 是什么?
查询指定城市和日期的天气预报,提供天气状况及温度范围,支持中文城市名和日期解析。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 422 次。
如何安装 weather-query-ych?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install weather-query-ych」即可一键安装,无需额外配置。
weather-query-ych 是免费的吗?
是的,weather-query-ych 完全免费(开源免费),可自由下载、安装和使用。
weather-query-ych 支持哪些平台?
weather-query-ych 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 weather-query-ych?
由 yuancaihua(@yuancaihua)开发并维护,当前版本 v1.0.0。
推荐 Skills