Weather Api

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed construction-weather helper with expected API and file-use needs, though its wording around generic data modeling is broader than ideal.

Install if you are comfortable letting the agent contact Open-Meteo with site coordinates and read or export only the project files you explicitly provide. Avoid giving unrelated local files or sensitive exact locations unless they are needed for the weather-risk analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The instructions expand a narrowly scoped weather skill into generic predictive modeling, file handling, and export behavior based on unspecified methods in SKILL.md. This scope creep can cause the agent to process arbitrary user-supplied datasets and perform broader analysis than intended, increasing the chance of unsafe file access, unsupported data processing, or misuse of the skill outside its declared purpose.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal