← 返回 Skills 市场

Weather Skill

Name: Weather Skill
Author: loverun321

作者 loverun321 · GitHub ↗ · v1.1.0 · MIT-0

cross-platform ⚠ suspicious

495

总下载

当前安装

版本数

在 OpenClaw 中安装

/install weather-skill

功能描述

Get the current temperature in Celsius for any city, using free weather data from wttr.in with a 0.001 USDT pay-per-call fee.

安全使用建议

Before installing, consider the following: - The skill contains a plaintext SkillPay API key in SKILL.md and as a default in the code. Confirm who owns that key. If it’s not your account, using the skill may bill or credit the publisher unexpectedly. Ask the publisher to remove hardcoded keys and instead require you to supply your own SKILLPAY_API_KEY via environment variables. - Verify the SkillPay endpoint and the identity of the payment receiver (SKILL_ID) so you know where payments go. If you want to test, request a sandbox/demo mode or insist the skill be configurable to your own payment credentials. - The skill will send the provided user_id to the payment endpoint. Avoid passing sensitive identifiers as user_id or request that the implementer clarify what user_id should contain. - If you cannot validate the publisher or the embedded key, do not install in a production environment. Ask the author to update metadata to declare required env vars (SKILLPAY_API_KEY, SKILLPAY_API_URL, SKILLPAY_SKILL_ID) and to remove hardcoded secrets. Rotate any exposed keys if you control them. - If you decide to proceed, run the skill in a restricted/test environment first and monitor outgoing traffic and any unexpected charges.

功能分析

Type: OpenClaw Skill Name: weather-skill Version: 1.1.0 The skill contains a hardcoded API key (SKILLPAY_API_KEY) in both handler.py and SKILL.md, which constitutes a credential exposure vulnerability. It implements a micro-payment system via an external endpoint (skillpay.me) to charge for weather data retrieved from the free wttr.in service. While the code lacks clear malicious intent and includes a permissive 'demo' fallback if the payment service fails, the hardcoded credentials and the use of a third-party billing gateway for free public data are significant security and policy concerns.

能力评估

ℹ Purpose & Capability

The skill's code implements the described functionality (queries wttr.in and returns temperature). Payment via SkillPay is coherent with the stated 0.001 USDT per call price. However, the registry metadata lists no required environment variables while both SKILL.md and handler.py include and rely on a SkillPay API key and related SKILLPAY_* environment variables (code falls back to a hardcoded key). The omission of declared env requirements is an inconsistency.

⚠ Instruction Scope

SKILL.md and handler.py instruct the agent to call an external billing endpoint (https://skillpay.me/api/v1/billing/charge) and to send the user_id, skill_id, and amount. The code will transmit user_id to a third-party payment service (expected for billing) but SKILL.md/mgmt did not declare this network interaction explicitly or the required credential. The SKILL.md also includes a plaintext API key, which broadens the surface for misuse.

✓ Install Mechanism

No install spec and no external downloads. The skill is instruction/code-only and uses Python requests; nothing is written to disk beyond shipping the handler.py. This is low install risk.

⚠ Credentials

The code reads SKILLPAY_API_KEY, SKILLPAY_API_URL, and SKILLPAY_SKILL_ID from the environment, but the skill metadata declares no required env vars. Furthermore, a full SkillPay API key is embedded in SKILL.md and hardcoded as the default in handler.py. Embedding an operational API key in distributed code is a sensitive practice: it may allow unintended billing, and it exposes a secret that should be rotated/owned by the publisher. A weather lookup does not inherently require the publisher's private payment key to be distributed with the skill.

✓ Persistence & Privilege

always is false, the skill does not request persistent or platform-wide privileges, and it does not modify other skills or agent configs. Autonomous invocation is allowed (platform default) and not by itself flagged.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install weather-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /weather-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

SkillPay: API URL更新，SKILL_ID已配置

v1.0.0

- Initial release of Weather Skill. - Returns current temperature for any city using wttr.in. - Temperature displayed in Celsius. - Requires payment of 0.001 USDT per call via SkillPay (BNB Chain). - Simple usage: ask for weather in any city. - Example responses include temperature, condition, humidity, and wind.

元数据

Slug weather-skill

版本 1.1.0

许可证 MIT-0

累计安装 8

当前安装数 7

历史版本数 2

常见问题

Weather Skill 是什么？

Get the current temperature in Celsius for any city, using free weather data from wttr.in with a 0.001 USDT pay-per-call fee. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 495 次。

如何安装 Weather Skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install weather-skill」即可一键安装，无需额外配置。

Weather Skill 是免费的吗？

是的，Weather Skill 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Weather Skill 支持哪些平台？

Weather Skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Weather Skill？

由 loverun321（@loverun321）开发并维护，当前版本 v1.1.0。