← Back to Skills Marketplace
yuancaihua

weather-query-ych

by yuancaihua · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
422
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install weather-query-ych
Description
查询指定城市和日期的天气预报,提供天气状况及温度范围,支持中文城市名和日期解析。
Usage Guidance
This skill appears to do weather lookups, but the author put an API key directly in the code and did not declare any required credentials — that's a red flag. Before installing: (1) ask the publisher to explain the API key origin and revoke it if it's private; (2) prefer a version that accepts an API key via an environment variable or configuration you control; (3) verify the external endpoint (the code uses api.weather.com-style URLs) and ensure it's trustworthy; (4) if you must use it, monitor network activity and consider running it in an isolated environment. If you cannot verify the key/provider, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill Name: weather-query-ych Version: 1.0.0 The skill is classified as suspicious due to significant vulnerabilities related to input sanitization. The `agent.py` file directly interpolates user-provided `city` and `date` values into the API URL without validation, creating a URL injection/SSRF vulnerability. This could allow an attacker to manipulate the API endpoint or potentially target internal network resources if the environment permits. Additionally, the hardcoded API key is a security bad practice, and the naive input parsing `input_text.split("天气")[0]` further exacerbates the risk of malformed input reaching the vulnerable URL construction.
Capability Assessment
Purpose & Capability
Name/description match a simple weather lookup and the code indeed calls an external weather API, but the skill declares no credentials or provider while the code contains an embedded API key and a non-standard URL format. A weather skill would normally request the user's own API key or document the provider — the hard-coded key is unexpected.
Instruction Scope
SKILL.md instructs the agent to parse city/date and call a weather API, which is in-scope. However the runtime code hard-codes an API key and a specific request URL pattern not described in SKILL.md, reducing transparency and giving the skill unilateral network access to an external service without documenting it.
Install Mechanism
No install spec (instruction-only) and no package installation; the only code is a small Python file that uses requests. No additional installers or remote downloads were found.
Credentials
The skill declares no required environment variables or credentials but embeds a literal API key in agent.py. Embedding credentials in code is disproportionate, risks leaking the key, and prevents users from supplying their own credentials as expected.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or system-wide configuration changes. It will perform outbound network requests when invoked, which is expected for a weather lookup.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install weather-query-ych
  3. After installation, invoke the skill by name or use /weather-query-ych
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release with simplified implementation and usage: - Replaced shell script execution with a Python agent for weather queries. - Updated documentation to focus on concise usage, sample inputs, and clear output formats. - Simplified output: formatted text response with city, date, weather status, and temperature range. - Added clear error handling for unrecognized cities and API failures. - Removed legacy shell scripts and related usage instructions.
Metadata
Slug weather-query-ych
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is weather-query-ych?

查询指定城市和日期的天气预报,提供天气状况及温度范围,支持中文城市名和日期解析。 It is an AI Agent Skill for Claude Code / OpenClaw, with 422 downloads so far.

How do I install weather-query-ych?

Run "/install weather-query-ych" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is weather-query-ych free?

Yes, weather-query-ych is completely free (open-source). You can download, install and use it at no cost.

Which platforms does weather-query-ych support?

weather-query-ych is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created weather-query-ych?

It is built and maintained by yuancaihua (@yuancaihua); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments