ClawHub

Weather Forecast

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward weather skill that uses requested coordinates with Open-Meteo and does not show hidden, persistent, credential, or destructive behavior.

Install if you are comfortable with weather query locations or coordinates being sent to Open-Meteo. Prefer city-level or approximate locations when privacy matters, and avoid using precise current-location coordinates unless needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to call an external weather API, so network capability is present even though no permission declaration is indicated. This creates a transparency and governance gap: users and platform controls may not be clearly informed that location-derived data will be transmitted off-platform.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation criteria are very broad and can match ordinary weather conversation, causing the skill to trigger when a simple conversational answer might suffice. In context, this increases the chance of unnecessary external API use and unnecessary sharing of user location information, though it does not by itself enable code execution or direct compromise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description does not disclose that weather queries may result in transmission of location data or coordinates to the external Open-Meteo service. Because location information can be sensitive, omission of this disclosure reduces informed consent and can lead to unexpected privacy exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal