Back to skill

Security audit

DHMZ Weather

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public Croatian weather data from named DHMZ-related sites and shows no hidden execution, credential access, persistence, or destructive behavior.

Install if you are comfortable with the agent making live requests to Croatian public weather sites. Provide the city in the command when you want to avoid the agent choosing one from conversation context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to immediately perform a network request and, when no city is provided, infer the user's location from conversation context without notifying the user. That can expose sensitive location-related context to an external service and bypass user consent, especially because the instruction explicitly says not to ask the user first.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.