7-day weather forecast query powered by Alibaba Cloud IQS web search and page reading. Triggers: "weather forecast", "7-day weather", "weekly weather", "weat...
Security Analysis
high confidenceThe skill largely does what it says (queries Alibaba IQS and parses weather pages) but its declared metadata, runtime instructions, and code disagree in ways that could surprise users (undeclared required API key, reading a config file in the user's home, and guidance that encourages modifying the skill's own code).
Name/description (7‑day forecast via Alibaba IQS) match the code and instructions. However, the package metadata declares no required env vars or config paths while both SKILL.md and scripts/weather.mjs require an ALIYUN_IQS_API_KEY and optionally read ~/.alibabacloud/iqs/env. That's an incoherence in declared requirements.
SKILL.md and the script limit operations to calling Alibaba IQS search/readpage endpoints and parsing pages, which is appropriate. But the skill's "evolveHint" explicitly instructs the agent/developer to modify scripts/weather.mjs to add new parsers (i.e., edit the skill's code). That encourages the agent to produce code changes on disk and broadens runtime scope beyond simple queries.
No install spec and no external downloads; the skill is an instruction + included Node.js script. There is no evidence of third‑party packages being pulled or obfuscated installers.
The script and SKILL.md require ALIYUN_IQS_API_KEY (and offer storing it in ~/.alibabacloud/iqs/env), which is proportionate to using Alibaba IQS. However, the registry metadata does not declare this required credential or the config path—this mismatch reduces transparency. The skill reads a file in the user's home directory which was not declared in required config paths.
always:false and no elevated platform privileges. Still, the guidance to add new parsers to scripts/weather.mjs implies modifying files bundled with the skill; if the agent is allowed to write files, that increases blast radius. The skill itself does not explicitly perform persistent installation or set always:true.
Guidance
This skill appears to implement weather lookup via Alibaba IQS and will call cloud-iqs.aliyuncs.com endpoints — that is expected. But before installing or running it: 1) be aware the SKILL.md and script require ALIYUN_IQS_API_KEY (and may read ~/.alibabacloud/iqs/env), yet the registry metadata does not declare that—ask the publisher to declare required env vars and config paths. 2) Inspect scripts/weather.mjs yourself (it is included) to confirm there are no unexpected behaviors. 3) Consider providing the API key with least privilege and keep it separate from high‑privilege credentials; prefer temporary keys when possible. 4) Decide whether you are comfortable allowing the agent to modify local skill files — the skill’s "evolve" instructions encourage creating/parsing new parser code, which could lead to file writes. 5) If you don't trust the unknown publisher, run the script in an isolated environment (container/VM) or decline. If you want, ask the author to update the registry metadata to explicitly list ALIYUN_IQS_API_KEY and the optional config file path.
Latest Release
v1.0.0
7-day weather forecast query powered by Alibaba Cloud IQS web search and page reading. Triggers: "weather forecast", "7-day weather", "weekly weather", "weather in [city]", "will it rain", "temperature forecast"
Popular Skills
Published by @lijian-github-20190615 on ClawHub
