Back to skill

Security audit

Pub Weather

Security checks across malware telemetry and agentic risk

Overview

This is labeled as a weather skill, but it actually exposes a broad external SkillBoss API gateway with email, SMS, scraping, documents, and model-provider access.

Install only if you intend to give an agent access to a broad SkillBoss API gateway, not just weather. Use a restricted, revocable API key if possible, avoid sending sensitive prompts/files/audio/URLs through it, and require explicit approval before email, SMS, OTP, scraping, batch messaging, or paid model actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill is presented as a weather skill, but it includes outbound email and SMS/OTP capabilities that can trigger real-world actions against external recipients. This scope mismatch increases the chance of misuse, phishing, spam, or unauthorized verification workflows because a caller may invoke side-effecting features that are unrelated to the advertised purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file exposes a broad multi-purpose AI gateway including chat, image, video, document parsing, search, scraping, email, and SMS under a weather-branded skill. This misleading packaging weakens least-privilege expectations and can cause users or orchestrators to send arbitrary sensitive content to external providers beyond the apparent weather use case.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The manifest identifies the skill as weather, while the body documents it as SkillBoss, a broad API aggregator. This inconsistency can mislead reviewers and agents about the skill's real function and trust boundaries, making dangerous capabilities easier to smuggle behind an innocuous label.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file exposes broad web search, scraping, screenshotting, profile lookup, and CEO transcript capabilities that materially exceed the skill's weather-oriented description. This creates a scope-mismatch risk: users or orchestrators may invoke a seemingly benign weather skill to perform broader data collection or reconnaissance functions without clear disclosure or limiting conditions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file advertises capabilities far beyond the stated weather purpose, including document parsing, email, SMS, embeddings, and presentation generation. This creates dangerous scope mismatch and expands the attack surface, enabling data exfiltration, outbound messaging abuse, or unauthorized processing under the cover of a benign weather skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Email sending is unrelated to weather retrieval and gives the skill an outbound communication channel that can be abused for spam, phishing, or exfiltration of user data. In the context of a supposedly simple weather skill, this mismatch is especially risky because users and reviewers may not expect or scrutinize such capability.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
SMS verification and notification features are unjustified for a weather-focused skill and introduce a powerful external messaging primitive. If abused, they could be used for unwanted messaging, social engineering, OTP abuse, or cost-incurring notification spam.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Document parsing is not necessary for basic weather retrieval and adds unnecessary capability to ingest and process user-supplied files. This broadens the attack surface and may expose sensitive document contents to a skill whose expected function does not justify such access.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
Embeddings are less directly dangerous than messaging tools, but they still represent unjustified capability creep for a weather skill. They may enable hidden indexing, semantic search, or secondary processing of user content that is outside expected weather functionality.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Presentation generation is unrelated to current weather and forecasts, indicating unnecessary expansion of privilege and functionality. Such capability can be misused to generate persuasive content or process user data in ways not aligned with the skill's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as weather-focused, but this file documents unrelated video-generation capabilities. This mismatch can mislead users and reviewers about the true scope of the skill, causing underestimation of available functionality and weakening informed consent, governance, and policy review for higher-risk media-generation features.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation encourages sending prompts, audio, documents, search queries, and other content to a third-party API and downstream providers without clear privacy, retention, or sharing warnings. Users may unknowingly transmit sensitive or regulated data off-platform because the description does not disclose the breadth of external processing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The email and SMS/OTP sections describe outbound communications but do not warn that invoking them can contact real recipients or initiate verification flows. This omission raises the risk of accidental spam, harassment, social engineering, or unauthorized account-related actions.

Vague Triggers

Low
Confidence
89% confidence
Finding
The markdown enumerates powerful search and scraping tools but gives no trigger boundaries, exclusions, or activation constraints. Without scope guidance, an agent may over-invoke these external-access capabilities for unrelated tasks, increasing the chance of unnecessary data retrieval, privacy-invasive lookups, or policy bypass through ambiguous tool selection.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file advertises external web search, scraping, screenshots, and person/company data retrieval without any privacy or data-collection warning. In practice, this can cause users and calling agents to underestimate that requests may contact third parties, collect personal/business information, or process externally sourced content with associated compliance and consent implications.

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
86% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "email/send", "inputs": {"to": "us

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
86% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Send OTP:

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Verify OTP:

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.