Is google-weather safe?

https://clawhub.ai/Shaharsha/google-weather

72
CAUTION

The google-weather skill provides a legitimate weather lookup service via Google's Weather API with clean Python code and no prompt injection attempts. However, the installation monitoring reveals concerning access to sensitive files (.aws/credentials, .env, auth-profiles.json) during the install phase, and the skill requests broad exec tool permissions. While these file accesses may be attributable to the OpenClaw runtime rather than the skill itself, they represent a real risk vector.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 35/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH AWS credentials file accessed during install -40

The filesystem monitor recorded an OPEN and ACCESS event on /home/oc-exec/.aws/credentials during the skill installation process. While this may be attributable to the OpenClaw runtime environment rather than the skill itself, it demonstrates that sensitive credential files are exposed during installation and could be read by a malicious skill's install hooks.

HIGH .env file accessed during install -30

The .env file at /home/oc-exec/.env was opened and read during skill installation. The .env file typically contains sensitive environment variables, API keys, and secrets. This access could allow a malicious skill to harvest credentials during the install phase.

MEDIUM Auth profiles accessed during install -15

The OpenClaw agent authentication profiles file was read during installation, which contains authentication tokens and credentials for configured services.

MEDIUM Broad exec tool permission requested -20

The skill requests 'allowed-tools: [exec]' which grants the agent shell execution capability. While needed to run the Python weather script, this permission allows arbitrary command execution if the skill's instructions are modified or if the agent misinterprets commands.

MEDIUM Outbound HTTP requests to Google APIs -10

The Python script makes outbound HTTP requests to weather.googleapis.com and maps.googleapis.com. These are legitimate Google endpoints, but the skill could be updated to redirect requests or add additional exfiltration endpoints in future versions.

LOW API key transmitted as URL parameter -10

The Google API key is sent as a query parameter in HTTP requests. While this is Google's standard authentication method, API keys in URLs can appear in server logs, proxy logs, and browser history. The key may have permissions beyond just Weather API access.

LOW Secondary environment variable fallback chain -10

The skill advertises support for multiple environment variable names (GOOGLE_API_KEY, GOOGLE_WEATHER_API_KEY, GOOGLE_MAPS_API_KEY). While convenient, this broadens the attack surface by encouraging users to share keys that may have permissions beyond weather access.

INFO OpenClaw runtime file access during install -5

Multiple reads of .openclaw/openclaw.json, .profile, and .bashrc were observed. These appear to be standard OpenClaw runtime bootstrapping behavior rather than skill-initiated actions, but they indicate the runtime environment does not isolate sensitive files from the skill install process.