Back to skill

Security audit

Snow Report

Security checks across malware telemetry and agentic risk

Overview

This snow-report skill appears to do what it says: fetch snow reports and optionally remember low-sensitivity resort preferences.

Before installing, be aware that the skill may save your home mountain and favorite resorts in a local preference file for future reports. Do not store anything more sensitive there, and delete or edit that file if you no longer want those preferences retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs reading and creating a persistent memory file for user preferences even though its primary purpose is fetching snow reports. Persistent storage is not inherently malicious here, but it expands data handling scope and can create privacy and consent issues if users are not clearly informed that their preferences will be retained across sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells the agent to use a persistent preferences file without any user-facing warning that their data will be stored. This undermines informed consent and can surprise users who expect a one-time snow lookup rather than durable profile creation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The first-time setup explicitly instructs creation of a memory file containing the user's home mountain and favorites, but it does not require disclosure that this information will persist. Even though the data is low sensitivity, silent persistence is a privacy weakness and violates user expectations about transparency.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.