ClawHub
Back to skill

Security audit

Weather Radar

Security checks across malware telemetry and agentic risk

Overview

This skill generates weather radar GIFs using expected external map and radar services, with a privacy caution around location use.

Install only if you are comfortable with the skill contacting RainViewer and OpenStreetMap to generate radar images. For privacy, provide an explicit city or coordinates instead of relying on inferred location, and review the output path before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description and trigger language are broad enough that the skill could activate for common weather-image requests without a clear boundary, causing unintended tool execution. While not inherently malicious, overbroad activation can lead to unnecessary network access and generation of files when the user may have wanted only a textual answer.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction 'When the user asks for a weather radar map or animated cloud GIF for a location, run the Python script' is an ambiguous activation rule that encourages automatic execution. In context, this is more concerning because execution performs network requests and writes an output file, so a fuzzy trigger can cause unnecessary external access or actions without clear user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Defaulting to the user's known location without explicit warning or confirmation creates a privacy risk because it uses potentially sensitive location context to drive external network requests. In this skill, that risk is amplified by contacting a third-party weather service, which may indirectly expose user-associated location data beyond the local environment.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.