Is 99percentgod/weather-1-0-0 safe?

https://github.com/openclaw/skills/tree/main/skills/99percentgod/weather-1-0-0

91
SAFE

This weather skill is a benign markdown document providing instructions for using two legitimate public weather APIs (wttr.in and open-meteo.com) via curl. The skill contains no executable code, no install hooks, no prompt injection, and no attempts to access sensitive files. Canary files were read only by the monitoring infrastructure during baseline scans, not by the skill itself. The primary residual risks are the inherent network access to external services required by the skill's function and the theoretical misuse of curl by a separately-compromised agent.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (6)

LOW Outbound HTTP requests to external weather services -15

The skill instructs the agent to use curl to contact wttr.in and api.open-meteo.com. These are legitimate public weather APIs, but the agent will transmit location strings (and potentially user-provided input) to third-party servers. This is the intended function of the skill, not malicious behavior, but it represents a network trust boundary.

LOW Canary files accessed read-only during monitoring scans -5

The honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at 06:06:46 (before the skill was installed) and again at 06:07:03 (post-install monitoring scan). These are read-only accesses by the monitoring infrastructure performing baseline comparisons, not by the skill. The canary integrity check confirms no modifications and no exfiltration.

LOW Skill examples write files to /tmp -5

The SKILL.md includes a documentation example that writes a PNG image to /tmp/weather.png. This is benign for weather use, but it demonstrates that following the skill's instructions the agent will write files to the filesystem. No executable code is present in the skill itself.

LOW Curl capability creates theoretical exfiltration vector -15

A curl-equipped agent following this skill's patterns could be directed by a separate malicious prompt to encode sensitive data into a wttr.in location query, exfiltrating it via the URL. This is not an attack present in the skill itself but a capability risk if the agent is also subject to prompt injection from another source. The skill does not attempt this.

INFO Clean installation with expected GitHub connection only 0

The skill was installed via a sparse git clone from github.com (140.82.121.3:443). No other external connections were made. No new persistent listeners were created. Only the two expected skill files were written to disk.

INFO SKILL.md is clean markdown with no injection patterns 0

Full review of SKILL.md found no hidden instructions, persona overrides, requests to ignore previous instructions, invisible characters, or references to sensitive file paths. The content is straightforward weather API documentation.