← Back to Directory

Weather API Skill

Scanned on 2/7/2026

85/100low

Well-implemented security practices with proper input validation, rate limiting, and credential handling; minor concerns around API endpoint trust and error handling.

Trust Score
85/100
Risk Level
low
Issues Found
4

Security Analysis

This OpenClaw skill demonstrates strong security fundamentals with a trust score of 85/100. The code implements multiple defense-in-depth layers: input sanitization with strict allowlisting, URL validation restricting to HTTPS and specific domains, proper credential management via environment variables, and rate limiting to prevent abuse. The automated findings correctly identify environment variable access and hardcoded endpoints, but these are implemented securely in context. The environment variable access is for legitimate API key retrieval (not exfiltration), and the hardcoded endpoint is to a known weather service. No data exfiltration risks, credential theft attempts, dangerous code execution, or obfuscation were detected. Minor improvements could include runtime API key validation, persistent rate limiting, request timeouts, and externalizing the API endpoint configuration. Overall, this represents a well-architected secure plugin suitable for deployment with minor enhancements recommended.

Security Findings

low - network

Hardcoded API endpoint domain without runtime verification

Evidence:

const apiUrl = `https://api.weather.com/v1/location/${encodeURIComponent(sanitized)}`;
Recommendation: Add the API endpoint to environment variables or a configuration file to allow for easier auditing and updates. Consider implementing certificate pinning for the weather.com domain.
low - credentials

API key transmitted in Authorization header without additional validation

Evidence:

'Authorization': `Bearer ${API_KEY}`
Recommendation: Add validation to ensure API_KEY exists and matches expected format before making requests. Consider adding a startup check: if (!API_KEY || API_KEY.length < 10) throw new Error('Invalid API key configuration');
info - other

Rate limiter uses in-memory storage which resets on restart

Evidence:

requests: new Map()
Recommendation: For production use, consider persistent storage (Redis, database) to maintain rate limits across restarts and prevent abuse through service restarts.
info - network

No timeout configuration for HTTPS requests

Evidence:

return https.get(apiUrl, { headers: {...} })
Recommendation: Add timeout configuration to prevent hanging requests: https.get(apiUrl, { headers: {...}, timeout: 5000 })

✅ Good Security Practices

  • API key properly sourced from environment variables rather than hardcoded
  • Strong input sanitization using allowlist approach (only alphanumeric and spaces)
  • Input length validation prevents buffer overflow attacks
  • URL encoding prevents injection attacks in API calls
  • HTTPS-only enforcement in URL validation
  • Domain allowlist restricts network calls to trusted endpoints
  • Rate limiting implementation prevents abuse
  • No use of dangerous functions (eval, exec, child_process)
  • No obfuscation or suspicious encoding detected
  • No filesystem access that could lead to data exfiltration
  • Clear, readable code with security comments

Source Information

ClawHub Page:clawhub.com/skills/weather-api-skill
Source URL:../demo-skills/weather-api-skill.js
Code Size:1,549 characters
Semgrep Findings:2