Back to skill

Security audit

Yandex Weather Smarthome

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed home-weather skill that uses a Yandex API key and configured coordinates only to fetch weather.

Install only if you are comfortable configuring a Yandex Weather API key and home coordinates as environment variables and sharing those coordinates with Yandex when weather questions are handled. Use approximate coordinates if exact home location is unnecessary, and be aware that generic weather phrases may trigger the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill uses environment variables and makes outbound network requests, but does not declare explicit permissions beyond runtime requirements. This weakens least-privilege controls and makes it harder for a host platform or reviewer to understand and constrain what the skill can access or transmit.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad and match very common weather-related words in both Russian and English. This can cause unintended activation, leading the agent to call external services and use configured home-location data when the user did not clearly intend to invoke this specific skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Single-word aliases such as "weather," "погода," and "прогноз" are highly ambiguous and likely to collide with normal conversation or other skills. Accidental invocation increases the chance of unnecessary external requests and disclosure of weather derived from the user's home coordinates.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.