Back to skill

Security audit

Weather Api

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed construction-weather helper that uses Open-Meteo data and optional user-provided files, with no evidence of hidden persistence, exfiltration, or destructive behavior.

Install if you are comfortable letting the agent contact Open-Meteo with site coordinates and read or export only the project files you explicitly provide. Avoid giving unrelated files or sensitive exact locations unless needed for the construction weather-risk analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The instructions broaden a weather-focused skill into generic predictive modeling, arbitrary data processing, and export workflows without clearly constraining the allowed model types, data sources, or operations. This can enable capability creep, causing the agent to handle unrelated files or user-supplied datasets in ways that exceed the intended trust boundary and may increase exposure to unsafe file handling or misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.