Beach Safety

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: look up beach conditions using public weather and mapping APIs.

Before installing, understand that any beach name or coordinates you ask about may be sent to public mapping and weather providers. This is expected for the feature, but avoid using highly sensitive location queries if that sharing is a concern.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: User-supplied beach queries are sent to third-party geocoding services, and coordinates are later sent to multiple external weather providers without any explicit disclosure or consent flow. In an agent skill context, users may reasonably expect a local lookup; silent transmission of location-related inputs can expose sensitive travel patterns, habits, or approximate whereabouts to external services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal