GPG keys can be created but with skipping the password step, by using the command line gpg --gen-key and following the on-screen instructions listed.
Correct, when using CLI commands you are prompted for a password, but you can leave it blank and press the enter key.
I believe that verifying the key does not require your own key (and hence password) either - at least on command-line (I once verified a message from someone else's public key without my own key, but maybe I'm misremembering. I do know that you have to set the key to be trusted while importing it though.
Partially incorrect: You won't be able to certify (sign) another persons key without your own, but you can indeed verify signed messages without your own key pair. Technically you don't even need to download the public signing key. The results will indicate that the message was signed by xyz key, but also mention that they key is unknown or unavailable. As long as you're willing to confirm that key xyz is they key you expected to have signed the message you don't actually need any keys in your keyring.