Farmos Weather

Security checks across malware telemetry and agentic risk

Overview

This is a transparent farm weather lookup skill; its main risks are broad activation wording and use of a private farm API endpoint.

Install this only if you recognize the private FarmOS/Agronomy weather service and are comfortable sending farm field IDs or coordinates to it. For ambiguous requests like “weather” or “forecast,” confirm the intended field or location before relying on the result.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases include very broad terms such as "forecast," "weather," and "field conditions?" that are likely to appear in ordinary conversation, increasing the chance this skill is invoked when the user did not intend it. In an agent environment, unintended invocation can cause the assistant to call internal weather services, steer the conversation away from the user's real intent, or trigger unnecessary cross-module queries to tasks and observations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal