Weather Wttr.In

Security checks across malware telemetry and agentic risk

Overview

This weather skill does what it says: it runs a small Python script that fetches weather from wttr.in, with the main consideration being location privacy.

Install only if you are comfortable sending weather queries to wttr.in. To reduce location leakage, provide an explicit city or coordinate instead of running it with no location, since no-location mode lets wttr.in infer an approximate location from your IP.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes very broad everyday terms such as 'weather', 'forecast', 'temperature', 'rain', 'humidity', and 'wind', which can cause the skill to activate in many ordinary conversations where the user did not explicitly intend to call this tool. Because the skill sends requests to an external weather service and may infer location, unintended invocation can leak location-related data or cause unexpected network activity.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation states that location auto-detection via IP occurs when no location is specified, but it does not clearly warn users that using the skill may transmit location-related data to wttr.in. This creates a privacy risk because users may unknowingly reveal approximate location information to a third-party service through explicit queries or automatic IP-based lookup.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal