DHMZ Weather

Security checks across malware telemetry and agentic risk

Overview

This weather skill fetches public Croatian weather XML with curl and does not show hidden execution, credential access, persistence, or destructive behavior.

Install if you are comfortable with the agent making live requests to Croatian public weather sites. Provide the city explicitly when you do not want the agent to infer one from conversation context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to immediately fetch weather using an inferred city from conversation context, including the user's location, without asking for confirmation. This creates a privacy risk because the agent may derive and act on location-sensitive data the user did not explicitly request in that invocation, increasing the chance of unintended disclosure or over-collection.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal