Is faleksic/dhmz-weather safe?
https://github.com/openclaw/skills/tree/main/skills/faleksic/dhmz-weather
The dhmz-weather skill is a straightforward Croatian weather data fetcher that makes read-only curl requests to official government meteorological APIs with no local file access, no executable code, no install hooks, and no exfiltration vectors. The only minor concerns are UX-level: an instruction to act without user confirmation and to silently infer location from conversation context, both of which are common but slightly reduce human oversight. Canary files, network monitoring, and filesystem diff all returned clean results.
Category Scores
Findings (5)
LOW Instructed to act without user confirmation -7 ▶
The skill explicitly tells the agent not to ask the user what they want before fetching and displaying weather data. While appropriate for a simple lookup skill, it establishes a pattern of bypassing human confirmation that could be more dangerous if combined with destructive or privacy-sensitive skills.
LOW Silent location inference from conversation context -5 ▶
The agent is instructed to silently read conversation history to determine the user's physical location and use it to parameterize outbound requests. This is benign here but normalizes reading ambient session state.
INFO All external endpoints are verified public government APIs -4 ▶
The 20+ curl endpoints all resolve to official Croatian Meteorological and Hydrological Service infrastructure. No user-controlled or attacker-controlled domains are referenced. No local files are read or encoded into requests.
INFO Clean install with single GitHub connection -2 ▶
Install produced no unexpected processes, no secondary downloads, no modifications outside the skill directory, and no connections beyond github.com.
INFO Canary file accesses attributable to audit framework -3 ▶
Sensitive file PATH records appear before and after the install window, consistent with audit framework setup and teardown, not skill activity. Canary integrity report is clean.