Back to skill

Security audit

hefengweather

Security checks across malware telemetry and agentic risk

Overview

This is mostly a normal weather-query skill, but its setup includes a conflicting API-key link and weak secret-storage guidance that users should review before installing.

Install only if you are comfortable providing a QWeather/HeFeng API key. Use the official QWeather key page referenced later in the docs, prefer HEFENG_WEATHER_API_KEY over config.txt, do not commit config.txt, and consider narrowing chat triggers so routine weather comments do not spend API quota unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad, natural-language weather queries such as '今天会下雨吗' and '北京天气怎么样', which can easily overlap with ordinary conversation and cause the skill to activate unintentionally. In chat-based environments like Feishu or WeChat, this can lead to unexpected external API calls, unnecessary disclosure of user message content to third-party services, and noisy or unintended behavior.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The README explicitly recommends storing the API key in a local config file but does not warn about keeping that file out of version control, restricting permissions, or avoiding accidental disclosure. While this is a common documentation pattern, it can lead to credential leakage if users commit the file or share the workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.